ClamAV查殺linux病毒實戰
阿新 • • 發佈:2019-02-19
完整記錄一次linux下clamav軟體安裝、病毒查殺及解決過程
ClamAV介紹
ClamAV 防毒是Linux平臺最受歡迎的防毒軟體,ClamAV屬於免費開源產品,支援多種平臺,如:Linux/Unix、MAC OS X、Windows、OpenVMS。ClamAV是基於病毒掃描的命令列工具,但同時也有支援圖形介面的ClamTK工具。ClamAV主要用於郵件伺服器掃描郵件。它有多種介面從郵件伺服器掃描郵件,支援檔案格式有如:ZIP、RAR、TAR、GZIP、BZIP2、HTML、DOC、PDF,、SIS CHM、RTF等等。ClamAV有自動的資料庫更新器,還可以從共享庫中執行。命令列的介面讓ClamAV執行流暢。
安裝部署
- 建立使用者和組
- 建立目錄並設定許可權
- 拷貝和更新設定檔案
- 更新病毒庫
- 掃描病毒
1.編譯安裝clamav:
tar xf clamav-0.100.0.tar.gz
cd clamav-0.100.0
./configure --prefix=/usr/local/clamav
make && make install
2.新增使用者組clamav和組成員clamav:
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
3.建立目錄並設定許可權:
cd /usr/local/clamav
mkdir -p logs database worktmp
chown clamav:clamav database
# logs存放日誌資訊
# database存放更新病毒庫資訊
# worktmp存放pid等臨時檔案或狀態檔案資訊
4.拷貝生成設定檔案
cd /usr/local/clamav/etc
cp clamd.conf.sample clamd.conf
cp freshclam.conf.sample freshclam.conf
5.修改配置檔案
# diff clamd.conf clamd.conf.sample
14c14
< LogFile /usr/local/clamav/logs/clamd.log
---
> #LogFile /tmp/clamd.log
66c66
< PidFile /var/clamav/worktmp/clamd.pid
---
> #PidFile /var/run/clamd.pid
74c74
< DatabaseDirectory /var/lib/clamav/database
---
> #DatabaseDirectory /var/lib/clamav
# diff freshclam.conf freshclam.conf.sample
8c8
< #Example
---
> Example
13c13
< DatabaseDirectory /usr/local/clamav/database/
---
> #DatabaseDirectory /var/lib/clamav
17c17
< UpdateLogFile /usr/local/clamav/logs/freshclam.log
---
> #UpdateLogFile /var/log/freshclam.log
51c51
< PidFile /usr/local/clamav/worktmp/freshclam.pid
---
> #PidFile /var/run/freshclam.pid
更新病毒庫
#建立日誌檔案
touch /usr/local/clamav/logs/freshclam.log
chown -R clamav.clamav /usr/local/clamav/logs/*
#更新病毒庫
/usr/local/clamav/bin/freshclam
存放目錄:/usr/local/clamav/database
病毒庫第一次更新會比較慢,需要定時更新,可以寫成定時任務
掃描病毒
clamscan -r / # 不僅會顯示找到的病毒,正常的掃描檔案也會顯示出來
clamscan --no-summary -ri / # 只顯示找到的病毒資訊
-r 遞迴掃描子目錄
-i 只顯示發現的病毒檔案
--no-summary 不顯示統計資訊
針對重要目錄一一排查是否感染病毒:
/usr/local/clamav/bin/clamscan -ri /data/
.... # 省略一些警告資訊
/data/***/store/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/util/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/index/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/queryParser/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/search/payloads/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/search/function/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/document/package.html: Legacy.Trojan.Agent-1388596 FOUND
/data/***/analysis/standard/package.html: Legacy.Trojan.Agent-1388596 FOUND
.....
----------- SCAN SUMMARY -----------
Known viruses: 6472191
Engine version: 0.100.0
Scanned directories: 170
Scanned files: 2247
Infected files: 8
Data scanned: 2662.96 MB
Data read: 6934.71 MB (ratio 0.38:1)
Time: 225.648 sec (3 m 45 s)
可以看到/data
目錄下有8個感染檔案,對比正常的檔案發現了問題的根源:
解決辦法
首先先find查詢到被感染的檔案,確認無誤後是由sed命令將vbscript標籤段刪除掉,附上完整命令:
find / -type f -name "*.html" |xargs sed -i '/VBScript><!--/,/\/\/--><\/SCRIPT>/d'