Malware
ClamAV 和 MalDet - 這些是被隔離還是被感染?
學習如何強化我的 VPS,我安裝了 ClamAV 和 MalDet,使用了幾個月。今晚,我決定不只是檢查首頁,而是檢查除“/sys”之外的整個 VPS。
結果是這樣的:
/usr/local/maldetect.bk11949/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect.bk11949/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /usr/local/src/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND /var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND Known viruses: 6109455 Engine version: 0.99.2 Scanned directories: 8699 Scanned files: 62104 Infected files: 41 Data scanned: 2514.92 MB Data read: 4509.22 MB (ratio 0.56:1) Time: 606.692 sec (10 m 6 s)
所以……現在我很害怕,因為我不認為這些只是壞消息。
請指教。
YARA是各種惡意軟體保護使用的工具,用於根據二進制模式的文本創建惡意軟體系列的描述。檢測到的惡意軟體“ Safe0ver Shell -Safe Mod Bypass By Evilc0der.php ”似乎是一個 PHP webshell,這是一種利用工具,最有可能用於在執行 PHP 的易受攻擊的伺服器上獲取 shell 訪問權限。
但是,發現惡意軟體的位置位於 CalmAV 或 MalDet 儲存其簽名文件的目錄中。此外,要啟動,檢測到的惡意軟體應該是原始形式(MIME 類型
application/x-httpd-php
),但事實並非如此。簽名文件必須包含有關惡意軟體的足夠資訊才能檢測到它,這可能會在使用惡意軟體檢測工具掃描簽名文件時導致誤報。輸出似乎來自 ClamAV。ClamAV 最初設計用於掃描電子郵件(和網站)而不是整個文件系統。這進一步增加了誤報率。
您可以排除這些目錄。為了那個原因
clamscan
有選擇權--exclude=REGEX, --exclude-dir=REGEX Don't scan file/directory names matching regular expression. These options can be used multiple times
clamdscan
用途clamd.conf
- Clam AntiVirus Daemon 的配置文件。配置文件位置可以通過選項設置,--config-file=FILE
配置文件採用ExcludePath REGEX
指令。- Linux Malware Detect有一個文件列出要忽略的路徑:
.: 8 [ IGNORE OPTIONS ] There are four ignore files available and they break down as follows: /usr/local/maldetect/ignore_paths A line spaced file for paths that are to be execluded from search results Sample ignore entry: /home/user/public_html/cgi-bin