在学习强化 VPS 的过程中,我安装了 ClamAV 和 MalDet,并使用了几个月。今晚,我决定,与其只是在家检查,我还要检查除“/sys”之外的整个 VPS。
这是结果:
/usr/local/maldetect.bk11949/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/tmp/.lmdup.666.11852/maldetect-1.6/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk11949/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-current.tar.gz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
Known viruses: 6109455
Engine version: 0.99.2
Scanned directories: 8699
Scanned files: 62104
Infected files: 41
Data scanned: 2514.92 MB
Data read: 4509.22 MB (ratio 0.56:1)
Time: 606.692 sec (10 m 6 s)
所以......现在我很害怕,因为我不把这些看作是坏消息。
请指教。
YARA是各种恶意软件保护使用的工具,用于根据二进制模式的文本创建恶意软件系列的描述。检测到的恶意软件“ Safe0ver Shell -Safe Mod Bypass By Evilc0der.php ”似乎是一个 PHP webshell,一种最有可能用于在运行 PHP 的易受攻击的服务器上获得 shell 访问权限的漏洞利用工具。
但是,发现恶意软件的位置位于 CalmAV 或 MalDet 存储其签名文件的目录中。此外,要处于活动状态,检测到的恶意软件应该是原始形式(MIME 类型application/x-httpd-php),而事实并非如此。签名文件必须包含有关恶意软件的足够信息才能检测到它,这在使用恶意软件检测工具扫描签名文件时可能会导致误报。
输出似乎来自 ClamAV。ClamAV 最初设计用于扫描电子邮件(和网站)而不是整个文件系统。这进一步增加了误报率。
您可以排除这些目录。为了那个原因
clamscan 有选择
--exclude=REGEX, --exclude-dir=REGEX
Don't scan file/directory names matching regular expression.
These options can be used multiple times
clamdscan用途clamd.conf- Clam AntiVirus Daemon 的配置文件。配置文件位置可以通过选项设置,--config-file=FILE配置文件采用ExcludePath REGEX指令。
Linux 恶意软件检测有一个文件来列出要忽略的路径:
.: 8 [ IGNORE OPTIONS ]
There are four ignore files available and they break down as follows:
/usr/local/maldetect/ignore_paths
A line spaced file for paths that are to be execluded from search results
Sample ignore entry:
/home/user/public_html/cgi-bin
| 归档时间: |
|
| 查看次数: |
5335 次 |
| 最近记录: |