你可以使用chkrootkit扫描许多类型的rootkit,并检测某些日志删除。虽然它无法删除任何受感染的文件,但确实会告诉你具体哪些文件被感染,以便你可以删除/重装/修复文件或软件包。
请遵照以下简单过程,使用chkrootkit下载、安装和扫描系统。使用sudo或su成为root用户。
# yum update
# yum install wget gcc-c++ glibc-static
# wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar –zxvf chkrootkit.tar.gz
# mkdir /usr/local/chkrootkit
# mv chkrootkit-0.xx/* /usr/local/chkrootkit
# cd /usr/local/chkrootkit
# make sense
<< compile output >>
# /usr/local/chkrootkit/chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
<< more output >>
chkrootkit脚本报告受感染的文件。我从未遇到过误报,但你碰到的情况可能不一样。我在管理的每个Linux系统上都安装了chkrootkit。我还设置了计划任务(cron job),执行上述所有步骤(除安装依赖项之外),以便我始终拥有更新后的集合。我还将输出重定向到用户帐户主目录中的一个文件。可以选择在脚本末尾通过电子邮件将文本报告发送给你。
chkrootkit脚本仅需几秒钟即可扫描和报告,因此使用它并不浪费时间或精力。
2.rkhunter
RootKit Hunter(rkhunter)是一个rootkit检测脚本,可以自动扫描许多不同的rootkit及其他本地漏洞。我爱rkhunter,用它也已有多年。与chkrootkit不同,rkhunter在/var/log/rkhunter/rkhunter.log中提供了记录发现结果的完整日志。如果你只安装和运行一款恶意软件扫描应用软件,它可能应该是rkhunter。
以下是在系统上安装和运行rkhunter的方法。使用sudo或su成为root用户。
# yum -y install epel-release
# yum -y install rkhunter
# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
<< lots of output >>
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 129
Suspect files: 4
Rootkit checks...
Rootkits checked : 494
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 38 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
rkhunter有时会标记你手动更改的文件。我的四个“可疑”文件中有两个是passwd和group,这两个都是我手动更改的文件。它还会通过touch、vi或者更改原始访问或修改日期的另外某个程序,标记你有意或无意修改的文件。ifup和ifdown是我系统上被标为可疑的另外两个文件。我还没有搞清楚原因,但觉得这两个都不是问题。
就算你认为自己知道情况,也要核查所有被标记的文件。
3.ClamAV
ClamAV官网页面介绍:ClamAV是一种可用于各种场景的开源(GPL)防病毒引擎,包括电子邮件扫描、Web扫描和端点安全。它提供了许多实用程序,包括灵活且可扩展的多线程守护程序、命令行扫描程序以及用于数据库自动更新的高级工具。
要安装ClamAV,请成为root或sudo用户,使用以下命令:
# yum -y install clamav
# freshclam
ClamAV update process started at Fri Apr 3 17:21:48 2020
daily database available for download (remote version: 25772)
Time: 27.3s, ETA: 0.0s [=============================>] 57.90MiB/57.90MiB
Testing database: '/var/lib/clamav/tmp.63140/clamav-5feeeb4cb75d1c44dd7c48b836fe457c.tmp-daily.cvd' ...
<< output >>
# clamscan -r -i /
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4088 bytes @ offset 8, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4093 bytes @ offset 3, got 0
<< Lots of output >>
----------- SCAN SUMMARY -----------
Known viruses: 6801836
Engine version: 0.102.2
Scanned directories: 13294
Scanned files: 64849
Infected files: 0
Total errors: 11295
Data scanned: 2668.46 MB
Data read: 2094.11 MB (ratio 1.27:1)
Time: 509.652 sec (8 m 29 s)
#
如你所见,扫描整个系统耗时几分钟,所以通过cron扫描并重定向输出来得更容易。
结束语
靠谱建议是通过cron安排自动更新和扫描。一旦启动了新系统,你还应立即执行初步扫描,因为这为你提供了基准情况。每次更新和安装软件后扫描。所有操作系统都有特定的恶意软件,因此,切勿因个人偏见而影响你对系统和用户执行正确的操作。要假设任何系统都不是完全干净的。
原文标题:3 antimalware solutions for Linux systems,作者:Ken Hess
2601
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
