服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 诊断由ClamAV报告的涉嫌木马
Intereting Posts
通过工作组访问SQL Server 使用CPU场渲染threejsanimation 用于克隆的RAID1 用Rsync备份远程VPS IIS重置其状态的架构文件夹 为什么目标接口没有捕获到ICMP报文? kvm – cpu内核禁用并启用循环 在CentOS 6.4中设置防火墙 无法创build/写入文件'C:\ Program Files \ MySQL \ MySQL Server 5.0 \ Data#sql_29c_0.MYI'(Errcode:17) 无法启用Windows XP文件共享 如何通过Nginx的auth_basic允许Hudson构buildURL? nginx重写特定的子域 Postfix邮件服务器在垃圾邮件发送者接pipe更新环境despte对策之后 通过PHP上传video文件到IIS 7失败 Sql Server 2005从备份还原到最近的文件位置

诊断由ClamAV报告的涉嫌木马

不幸的是我有很less的Linux经验。 我们有一个运行Debian 7.6的亚马逊实例,并从亚马逊那里得到消息说我们是端口扫描。 我们希望通过限制亚马逊安全组的出站stream量来阻止这种情况,但作为调查的一部分,我们运行: 

sudo clamscan -r -i --bell

这表明以下可能的感染:

/ var / lib / tomcat7 / update_temporary:Unix.Trojan.Elknot FOUND

我可以find很less的关于这个(但有一些关于ElkKnot与一个额外的K的东西 – 他们是同样的事情?)

以下警告也会在输出中出现多次: 

 WARNING: Can't open file /sys/module/nfnetlink_log/uevent: Permission denied LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

所以我的问题是:如何判断报告的感染是真的还是假的? 我应该担心所有的LibClamAV警告吗? 它们是错误的指示,还是Debian没有正确设置?

至于“我怎么知道是真的还是假的?”

您可能希望将文件(如果可能的话)复制到另一个介质,以使用ClamAV以外的病毒扫描程序进行testing(如果您对Clam结果的有效性有疑问)。

或者,如果您不愿意将文件从一台机器移动到另一台机器上,则可能希望在Web服务器上访问文件,然后使用类似https://www.virustotal.com/的URLtesting实用程序进行testing如果它也证实了一个命中。

显然,你会想要恢复/删除任何文件。

如果您想确认尝试入站/出站通信的程序 – 试试这个… 

 netstat -tnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

注意,如果这个进程是以root权限运行的,不幸的是你可能需要执行上面的命令,使用匹配的priv来检测程序。