如果 rkhunter 发现可能的 rootkit 该怎么办?

如果 rkhunter 发现可能的 rootkit 该怎么办?

今晚运行了 rkhunter,得到了以下结果:

[04:17:34] System checks summary
[04:17:34] =====================
[04:17:34]
[04:17:34] File properties checks...
[04:17:34] Files checked: 133
[04:17:34] Suspect files: 16
[04:17:34]
[04:17:34] Rootkit checks...
[04:17:34] Rootkits checked : 245
[04:17:34] Possible rootkits: 1
[04:17:34] Rootkit names    : Slapper Worm
[04:17:34]
[04:17:34] Applications checks...
[04:17:34] All checks skipped
[04:17:34]
[04:17:34] The system checks took: 2 minutes and 27 seconds
[04:17:34]
[04:17:34] Info: End date is Sat Jul 12 04:17:34 UTC 2014

据称可能的rootkit是“Slapper Worm”,并且它指向这个文件:

[04:16:42] Checking for Slapper Worm...
[04:16:42]   Checking for file '/tmp/.bugtraq'               [ Not found ]
[04:16:42]   Checking for file '/tmp/.uubugtraq'             [ Not found ]
[04:16:42]   Checking for file '/tmp/.bugtraq.c'             [ Not found ]
[04:16:42]   Checking for file '/tmp/httpd'                  [ Not found ]
[04:16:42]   Checking for file '/tmp/.unlock'                [ Not found ]
[04:16:42]   Checking for file '/tmp/update'                 [ Found ]
[04:16:42]   Checking for file '/tmp/.cinik'                 [ Not found ]
[04:16:43]   Checking for file '/tmp/.b'                     [ Not found ]
[04:16:43] Warning: Slapper Worm                             [ Warning ]
[04:16:43]          File '/tmp/update' found

我删除了这个文件,但看起来没什么大问题?我应该担心我可能感染了 rootkit 吗?删除这个文件能解决问题吗?

答案1

在这种情况下,我不会太担心,因为它只检测到一个文件名,由于单词的常见性质,这个文件名不太可能由完全不相关的东西创建update。像 这样的更重要的文件/tmp/.bugtraq丢失了。此外,Slapper 12岁并利用了一个早已被关闭的漏洞。

如果您是rkhunter因为怀疑感染而逃跑,可以进一步调查,但如果这是例行操作,则不要再管了。

相关内容