我的服务器中的一些垃圾邮件脚本(每小时发送数千封邮件)我确实使用 clamav 扫描到我的服务器 CentOS7 + Virtualmin ,这是结果:
/home/joudakpk/homes/info/Maildir/cur/1555410522.27486_0.ser.voceweb.com: Email.Phishing.VOF1-6314019-0 FOUND
/home/joudakpk/homes/info/Maildir/cur/1554693257.32497_0.ser.voceweb.com: Email.Trojan.Toa-5493309-0 FOUND
/var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/log/clamav/manual_clamscan.log: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/spool/postfix/deferred/9/988795815AA: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/logs/event_log: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/quarantine.hist: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/hits.hist: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/session.190502-0005.4595: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/session.hits.190502-0005.4595: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6139866
Engine version: 0.101.2
Scanned directories: 123063
Scanned files: 643152
Infected files: 28
Total errors: 13042
Data scanned: 130821.71 MB
Data read: 109355.80 MB (ratio 1.20:1)
Time: 20850.863 sec (347 m 30 s)
第一:我更改了所有用户密码、主密码、禁用 root 登录。第二:我删除了“info”文件夹和info用户。
现在我不知道我应该做什么?
答案1
我将在这里回复以使内容更容易阅读。
这些文件可以被删除。然后安装猎头者,此工具将扫描您的计算机以查找可能被修改的二进制文件或不良内容。
那么这并不意味着您的服务器将是干净的。在linux下,很容易做出令人讨厌的隐藏的东西,你必须仔细检查你的机器。顺便说一句,你还必须找出那些人如何入侵你的服务器。如果它来自网页,您必须保护它以避免它们回来。因此,在“确保”您的机器干净之前需要检查很多事情