Malware

ClamAV 和 MalDet - 這些是被隔離還是被感染?

  • March 23, 2017

學習如何強化我的 VPS,我安裝了 ClamAV 和 MalDet,使用了幾個月。今晚,我決定不只是檢查首頁,而是檢查除“/sys”之外的整個 VPS。

結果是這樣的:

/usr/local/maldetect.bk11949/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND

Known viruses: 6109455
Engine version: 0.99.2
Scanned directories: 8699
Scanned files: 62104
Infected files: 41
Data scanned: 2514.92 MB
Data read: 4509.22 MB (ratio 0.56:1)
Time: 606.692 sec (10 m 6 s)

所以……現在我很害怕,因為我不認為這些只是壞消息。

請指教。

YARA是各種惡意軟體保護使用的工具,用於根據二進制模式的文本創建惡意軟體系列的描述。檢測到的惡意軟體“ Safe0ver Shell -Safe Mod Bypass By Evilc0der.php ”似乎是一個 PHP webshel​​l,這是一種利用工具,最有可能用於在執行 PHP 的易受攻擊的伺服器上獲取 shell 訪問權限。

但是,發現惡意軟體的位置位於 CalmAV 或 MalDet 儲存其簽名文件的目錄中。此外,要啟動,檢測到的惡意軟體應該是原始形式(MIME 類型application/x-httpd-php),但事實並非如此。簽名文件必須包含有關惡意軟體的足夠資訊才能檢測到它,這可能會在使用惡意軟體檢測工具掃描簽名文件時導致誤報。

輸出似乎來自 ClamAV。ClamAV 最初設計用於掃描電子郵件(和網站)而不是整個文件系統。這進一步增加了誤報率。

您可以排除這些目錄。為了那個原因

--exclude=REGEX, --exclude-dir=REGEX
   Don't scan file/directory names matching regular expression.
   These options can be used multiple times
  • clamdscan用途clamd.conf- Clam AntiVirus Daemon 的配置文件。配置文件位置可以通過選項設置,--config-file=FILE配置文件採用ExcludePath REGEX指令。
  • Linux Malware Detect有一個文件列出要忽略的路徑:
.: 8 [ IGNORE OPTIONS ]

There are four ignore files available and they break down as follows:

/usr/local/maldetect/ignore_paths
A line spaced file for paths that are to be execluded from search results
Sample ignore entry:
/home/user/public_html/cgi-bin

引用自:https://serverfault.com/questions/840052