诊断 ClamAV 报告的疑似木马

诊断 ClamAV 报告的疑似木马

不幸的是,我的 Linux 经验很少。我们有一个运行 Debian 7.6 的 Amazon 实例,并收到来自 Amazon 的消息,说我们正在进行端口扫描。我们希望通过 Amazon 安全组限制出站流量来阻止这种情况,但作为调查的一部分,我们运行了:

sudo clamscan -r -i --bell

这表明可能存在以下感染:

/var/lib/tomcat7/update_temporary:发现 Unix.Trojan.Elknot

我对此的了解很少(但有关 ElkKnot 的一些内容带有一个额外的 K - 它们是同一件事吗?)

输出中还多次出现以下警告:

WARNING: Can't open file /sys/module/nfnetlink_log/uevent: Permission denied
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

所以我的问题是:我如何判断所报告的感染是真实的还是误报?我是否应该担心所有的 LibClamAV 警告?它们是表明存在问题,还是 Debian 设置不正确?

答案1

至于“我怎样才能分辨……是真阳性还是假阳性?”

您可能需要将文件(如果可能)复制到另一个介质,以使用 ClamAV 以外的病毒扫描程序进行测试(如果您对 Clam 结果的有效性有疑虑)。

或者,如果你不愿意将文件从一台机器移动到另一台机器 - 你可能希望使文件在 Web 服务器上可访问 - 并使用 URL 测试实用程序进行测试,例如https://www.virustotal.com/看看它是否也证实了命中。

显然,您会想要恢复/删除任何文件。

如果您想确认尝试入站/出站通信的程序 - 请尝试以下操作...

netstat -tnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

请注意,如果该进程以 root 权限运行 - 不幸的是很可能是这样 - 您需要使用匹配的权限执行上述命令才能检测到该程序。

相关内容