Debian

診斷 ClamAV 報告的所謂木馬

  • November 25, 2014

不幸的是,我的 Linux 經驗很少。我們有一個執行 Debian 7.6 的 Amazon 實例,並從 Amazon 收到一條消息,說我們正在進行埠掃描。我們希望通過 Amazon 安全組限制出站流量來阻止這種情況,但作為調查的一部分,我們進行了以下調查:

sudo clamscan -r -i --bell

這表明可能存在以下感染:

/var/lib/tomcat7/update_temporary:發現 Unix.Trojan.Elknot

我幾乎找不到這方面的資訊(但是一些關於 ElkKnot 的東西有一個額外的 K——它們是一樣的嗎?)

以下警告也多次出現在輸出中:

WARNING: Can't open file /sys/module/nfnetlink_log/uevent: Permission denied
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

所以我的問題是:我如何判斷報告的感染是真的還是假陽性?我應該擔心所有 LibClamAV 警告嗎?它們是否表明有問題,或者 Debian 設置不正確?

至於“我如何判斷……是真的還是假陽性?”

您可能希望將文件(如果可能)複製到另一個介質,以使用 ClamAV 以外的病毒掃描程序進行測試(如果您擔心 Clam 結果的有效性)。

或者,如果您不願意將文件從一台機器移動到另一台機器 - 您可能希望使文件在 Web 伺服器上可訪問 - 並使用https://www.virustotal.com/之類的 URL 測試實用程序進行測試以查看如果它也證實了命中。

顯然,您需要還原/刪除任何文件。

如果您想確認嘗試入站/出站通信的程序 - 試試這個…

netstat -tnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

請注意,如果該程序使用 root privs 執行 - 不幸的是很可能是 - 您需要使用匹配的 privs 執行上述命令才能檢測到程序。

引用自:https://serverfault.com/questions/646987