rkhunter 发现了 6 个可能的 rootkit 以及如何删除它们

tag-icon tag-icon rkhunter
rkhunter 发现了 6 个可能的 rootkit 以及如何删除它们

你好,我第一次安装 rkhunter,当我运行 rkhunter -c 时,结果出现了 6 个可能的 rootkit,我想知道这些 rootkit 是否危险,以及如何删除它们。PS:我的电脑有双启动 linux 和 windows

如果需要上传完整的日志文件,请告诉我。

[18:08:13] Info: Starting test name 'trojans'
[18:08:13] Performing trojan specific checks
[18:08:13]   Checking for enabled inetd services             [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[18:08:13]   Checking for enabled xinetd services            [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[18:08:13]   Checking for Apache backdoor                    [ Skipped ]
[18:08:13] Info: Check skipped - no Apache module or configuration directories found.
[18:08:13]
[18:08:13] Info: Starting test name 'os_specific'
[18:08:13]   Performing Linux specific checks
[18:08:13]     Checking loaded kernel modules                [ OK ]
[18:08:13]     Checking kernel module names                  [ OK ]
[18:12:48]
[18:12:51]   Checking for promiscuous interfaces             [ None found ]
[18:12:51]
[18:12:51] Info: Test 'packet_cap_apps' disabled at users request.
[18:12:51]
[18:12:51] Info: Starting test name 'local_host'
[18:12:51] Checking the local host...
[18:12:51]
[18:12:51] Info: Starting test name 'startup_files'
[18:12:51] Performing system boot checks
[18:12:51]   Checking for local host name                    [ Found ]
[18:12:51]
[18:12:51] Info: Starting test name 'startup_malware'
[18:12:51]   Checking for system startup files               [ Found ]
[18:12:54]   Checking system startup files for malware       [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_accounts'
[18:12:54] Performing group and account checks
[18:12:54]   Checking for passwd file                        [ Found ]
[18:12:54] Info: Found password file: /etc/passwd
[18:12:54]   Checking for root equivalent (UID 0) accounts   [ None found ]
[18:12:54] Info: Found shadow file: /etc/shadow
[18:12:54]   Checking for passwordless accounts              [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'passwd_changes'
[18:12:54]   Checking for passwd file changes                [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_changes'
[18:12:54]   Checking for group file changes                 [ None found ]
[18:12:54]   Checking root account shell history files       [ OK ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs'
[18:12:54] Performing system configuration file checks
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_ssh'
[18:12:54]   Checking for an SSH configuration file          [ Not found ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_syslog'
[18:12:54]   Checking for a running system logging daemon    [ Found ]
[18:12:54] Info: A running 'rsyslog' daemon has been found.
[18:12:54] Info: A running 'systemd-journald' daemon has been found.
[18:12:54] Info: Found an rsyslog configuration file: /etc/rsyslog.conf
[18:12:54] Info: Found a systemd configuration file: /etc/systemd/journald.conf
[18:12:54]   Checking for a system logging configuration file [ Found ]
[18:12:54]   Checking if syslog remote logging is allowed    [ Not allowed ]
[18:12:54]
[18:12:54] Info: Starting test name 'filesystem'
[18:12:54] Performing filesystem checks
[18:12:54] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:12:58]   Checking /dev for suspicious file types         [ Warning ]
[18:12:58] Warning: Suspicious file types found in /dev:
[18:12:58]          /dev/shm/sem.CiscoAcNamedEventOpenDNS: data
[18:12:58]          /dev/shm/sem.CiscoAcNamedEventNVM: data
[18:12:58]          /dev/shm/sem.CiscoAcMemoryLock: data
[18:12:58]          /dev/shm/tmp: data
[18:12:58]          /dev/shm/PostgreSQL.1878213102: data
[18:12:58]   Checking for hidden files and directories       [ Warning ]
[18:12:58] Warning: Hidden directory found: /etc/.java
[18:12:58]   Checking for missing log files                  [ Skipped ]
[18:12:58] Info: No missing log file names configured.
[18:12:58]   Checking for empty log files                    [ Skipped ]
[18:12:58] Info: No empty log file names configured.
[18:13:20] Info: Test 'apps' disabled at users request.
[18:13:20] System checks summary
[18:13:20] =====================
[18:13:20] File properties checks...
[18:13:20] Files checked: 145
[18:13:20] Suspect files: 1
[18:13:20] Rootkit checks...
[18:13:20] Rootkits checked : 480
[18:13:20] Possible rootkits: 7
[18:13:20] Applications checks...
[18:13:20] All checks skipped

答案1

这可能不是 rootkit,只是 rkhunter 无法识别的文件,误报。为了安全起见,您可以删除不使用的文件。

对于 cisco 文件:

/dev/shm/sem.CiscoAcNamedEventOpenDNS:数据
/dev/shm/sem.CiscoAcNamedEventNVM:数据
/dev/shm/sem.CiscoAcMemoryLock:数据

似乎是以前安装的 cisco anyconnect 所使用的文件。

检查是否有任何实例正在运行,例如:

ps -ef|grep vpn

您可能会看到如下正在运行的进程:

root        5968       1  0 ago14 ?        00:00:00  /opt/cisco/anyconnect/bin/vpnagentd

可以通过运行以下命令来卸载:

/opt/cisco/vpn/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh

相关内容