今晚运行了 rkhunter,得到了以下结果:
[04:17:34] System checks summary
[04:17:34] =====================
[04:17:34]
[04:17:34] File properties checks...
[04:17:34] Files checked: 133
[04:17:34] Suspect files: 16
[04:17:34]
[04:17:34] Rootkit checks...
[04:17:34] Rootkits checked : 245
[04:17:34] Possible rootkits: 1
[04:17:34] Rootkit names : Slapper Worm
[04:17:34]
[04:17:34] Applications checks...
[04:17:34] All checks skipped
[04:17:34]
[04:17:34] The system checks took: 2 minutes and 27 seconds
[04:17:34]
[04:17:34] Info: End date is Sat Jul 12 04:17:34 UTC 2014
据称可能的rootkit是“Slapper Worm”,并且它指向这个文件:
[04:16:42] Checking for Slapper Worm...
[04:16:42] Checking for file '/tmp/.bugtraq' [ Not found ]
[04:16:42] Checking for file '/tmp/.uubugtraq' [ Not found ]
[04:16:42] Checking for file '/tmp/.bugtraq.c' [ Not found ]
[04:16:42] Checking for file '/tmp/httpd' [ Not found ]
[04:16:42] Checking for file '/tmp/.unlock' [ Not found ]
[04:16:42] Checking for file '/tmp/update' [ Found ]
[04:16:42] Checking for file '/tmp/.cinik' [ Not found ]
[04:16:43] Checking for file '/tmp/.b' [ Not found ]
[04:16:43] Warning: Slapper Worm [ Warning ]
[04:16:43] File '/tmp/update' found
我删除了这个文件,但看起来没什么大问题?我应该担心我可能感染了 rootkit 吗?删除这个文件能解决问题吗?
答案1
在这种情况下,我不会太担心,因为它只检测到一个文件名,由于单词的常见性质,这个文件名不太可能由完全不相关的东西创建update。像 这样的更重要的文件/tmp/.bugtraq丢失了。此外,Slapper 12岁并利用了一个早已被关闭的漏洞。
如果您是rkhunter因为怀疑感染而逃跑,可以进一步调查,但如果这是例行操作,则不要再管了。