내 서버의 일부 스팸 스크립트(시간당 수천 개의 이메일 전송) clamav를 사용하여 내 서버 CentOS7 + Virtualmin을 스캔했으며 결과는 다음과 같습니다.
/home/joudakpk/homes/info/Maildir/cur/1555410522.27486_0.ser.voceweb.com: Email.Phishing.VOF1-6314019-0 FOUND
/home/joudakpk/homes/info/Maildir/cur/1554693257.32497_0.ser.voceweb.com: Email.Trojan.Toa-5493309-0 FOUND
/var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/log/clamav/manual_clamscan.log: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/spool/postfix/deferred/9/988795815AA: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/logs/event_log: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/quarantine.hist: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/hits.hist: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/session.190502-0005.4595: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sess/session.hits.190502-0005.4595: YARA.r57shell_php_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/usr/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6139866
Engine version: 0.101.2
Scanned directories: 123063
Scanned files: 643152
Infected files: 28
Total errors: 13042
Data scanned: 130821.71 MB
Data read: 109355.80 MB (ratio 1.20:1)
Time: 20850.863 sec (347 m 30 s)
첫째: 모든 사용자 비밀번호, 마스터 비밀번호를 변경하고 루트 로그인을 비활성화했습니다. 둘째: "info" 폴더와 info 사용자를 삭제했습니다.
이제 어떻게 해야 할지 모르겠어요?
답변1
읽기 쉽도록 여기에 답글을 달겠습니다.
이러한 파일은 삭제할 수 있습니다. 그런 다음 설치헤드 헌터, 이 도구는 잠재적으로 수정된 바이너리나 바람직하지 않은 콘텐츠가 있는지 컴퓨터를 검사합니다.
그렇다고 서버가 깨끗하다는 뜻은 아닙니다. 리눅스에서는 불쾌한 숨겨진 일을 하기가 쉽고 컴퓨터를 다시 확인해야 합니다. 그런데 그 사람들이 어떻게 당신의 서버를 해킹했는지도 알아내야 합니다. 웹페이지에서 오는 경우 다시 돌아오지 않도록 보호해야 합니다. 따라서 기계가 깨끗한지 "확인"하기 전에 확인해야 할 사항이 많습니다.