了解了我的VPS硬化,我安装了ClamAV和MalDet几个月。 今晚,我决定,而不是只是在家里检查,我会检查除“/ sys”以外的整个VPS。
结果是:
/usr/local/maldetect.bk11949/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/src/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND Known viruses: 6109455 Engine version: 0.99.2 Scanned directories: 8699 Scanned files: 62104 Infected files: 41 Data scanned: 2514.92 MB Data read: 4509.22 MB (ratio 0.56:1) Time: 606.692 sec (10 m 6 s) 所以…现在我很害怕,因为我不把这些看作是坏消息。
请指教。
YARA是由各种恶意软件保护所使用的工具,用于基于二进制格式的文本创build恶意软件系列的描述。 检测到的恶意软件“ Safe0ver Shell -Safe Mod Bypass By Evilc0der.php ”似乎是一个PHP webshell,一种攻击工具,最有可能用于在运行PHP的易受攻击的服务器上获取shell访问权。
但是,发现恶意软件的位置在CalmAV或MalDet存储其签名文件的目录中 。 另外,要被激活,检测到的恶意软件应该是原始格式(MIMEtypesapplication/x-httpd-php ),而不是。 签名文件必须包含足够的有关恶意软件的信息才能检测到这些信息,这可能会在使用恶意软件检测工具扫描签名文件时导致误报 。
输出似乎来自ClamAV。 ClamAV最初devise用于扫描电子邮件(和网站),而不是整个文件系统。 这进一步增加了误报率。
您可以排除这些目录。 为了那个原因
clamscan有select
--exclude=REGEX, --exclude-dir=REGEX Don't scan file/directory names matching regular expression. These options can be used multiple times
clamdscan使用clamd.conf – Clam AntiVirus守护进程的configuration文件。 configuration文件位置可以通过选项--config-file=FILE来设置,configuration文件采用ExcludePath REGEX指令。
Linux恶意软件检测有一个文件列出要忽略的path:
.: 8 [ IGNORE OPTIONS ] There are four ignore files available and they break down as follows: /usr/local/maldetect/ignore_paths A line spaced file for paths that are to be execluded from search results Sample ignore entry: /home/user/public_html/cgi-bin