Aliyun machine poisoning

Keywords: Linux zlib firewall vim Database

Last night, I received Ali Yun's short message and email to persuade the server to be poisoned. The contents are as follows:

After testing the malicious outsourcing behavior of your cloud server (ip), in order to avoid affecting the normal use of your server, you must pay attention to it and deal with it as soon as possible. You need to find out your security risks as soon as possible. At present, the system will not punish your machine, but you must pay attention to it.

Afraid of being punished (near the small black house), so hurry to log on to the server and find nothing unusual after going up, but find that the machine has been running naked, quickly install the firewall, everything is normal, until this afternoon I received Ali Yun's text messages and emails, the server simply can not log on, the cpu and bandwidth are praised, very slowly, wait a while or not. Enter, directly manage the background to restart the machine, log in immediately after restart, open the firewall, only allow specific ip access, cut off all other access.

Installation of Antivirus Software ClamAV

ClamAV is a virus checking software on the command line, because it does not take antivirus as its main function. By default, it can only detect viruses in your computer, but it can not clear, at most delete files. ClamAV can work on many platforms, but a few can't support it, depending on the popularity of the platforms you use. In addition, it mainly protects against some WINDOWS virus and Trojan horse programs. In addition, this is a server-oriented software.

Download the ClamAV installation package

Official website: http://www.clamav.net/downloa...

wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz
wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.7/zlib-1.2.7.tar.gz
tar xvzf zlib-1.2.7.tar.gz
cd zlib-1.2.7
./configure 
make && make install

Add user group clamav and group member clamav

[root@iZwz92o4464Z zlib-1.2.7]# groupadd clamav
[root@iZwz92o4464Z zlib-1.2.7]# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

Installation of Clamav-0.99.2

[root@iZwz92o4464Z tmp]# tar xvzf clamav-0.99.2.tar.gz
[root@iZwz92o4464Z tmp]# cd clamav-0.99.2
[root@iZwz92o4464Z clamav-0.99.2]# ./configure --prefix=/opt/clamav  --disable-clamav
[root@iZwz92o4464Z clamav-0.99.2]# make
[root@iZwz92o4464Z clamav-0.99.2]# make install

Configure Clamav

1: Create directories

[root@iZwz92o4464Z clamav-0.99.2]# mkdir /opt/clamav/logs 
[root@iZwz92o4464Z clamav-0.99.2]# mkdir /opt/clamav/updata

2: Create files

[root@iZwz92o4464Z clamav-0.99.2]# touch /opt/clamav/logs/freshclam.log
[root@iZwz92o4464Z clamav-0.99.2]# touch /opt/clamav/logs/clamd.log

 
[root@iZwz92o4464Z clamav-0.99.2]# cd /opt/clamav/logs
[root@iZwz92o4464Z clamav-0.99.2]# cd logs
[root@iZwz92o4464Z clamav-0.99.2]# ls
clamd.log  freshclam.log
[root@LNX17 logs]# ls -lrt
total 0
-rw-r--r--. 1 root root 0 Aug 21 22:10 freshclam.log
-rw-r--r--. 1 root root 0 Aug 21 22:10 clamd.log

3: Modify ownership

[root@iZwz92o4464Z logs]# chown clamav:clamav clamd.log 
[root@iZwz92o4464Z logs]# chown clamav:clamav freshclam.log 
[root@iZwz92o4464Z logs]# ls -lrt
total 0
-rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 freshclam.log
-rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 clamd.log
[root@iZwz92o4464Z logs]#

4: Modify the configuration file

root@AY14061209501523080aZ: vim /opt/clamav/etc/clamd.conf

# Example annotates this line. Line 8

LogFile/logs/clamd.log deletes the previous comment directory and changes it to/opt/clamav/logs/clamd.log  
PidFile/opt/clamav/updata/clamd.pid deletes the previous comment path and changes to/opt/clamav/updata/clamd.pid
 Database Directory/opt/clamav/updata, ibid.

root@AY14061209501523080aZ:/opt/clamav# vim
/opt/clamav/etc/freshclam.conf

Comment out the line Example. Otherwise, the following errors may occur in updating the anti-virus database

ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf
ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf

5: Upgrade Virus Library

[root@AY14061209501523080aZ etc]# /opt/clamav/bin/freshclam
 ERROR: Can't change dir to /opt/clamav/share/clamav

If the above error occurs, create a folder directly and authorize clamav users.

[root@AY14061209501523080aZ etc]# mkdir -p /opt/clamav/share/clamav
[root@AY14061209501523080aZ etc]# /opt/clamav/etc# chown clamav:clamav /opt/clamav/share/clamav

Continue updating (very slow)

[root@AY14061209501523080aZ:/opt/clamav/etc]# /opt/clamav/bin/freshclam
ClamAV update process started at Thu Mar  9 18:33:03 2017
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.97.6 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/support/faq
Downloading main.cvd [100%]

main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Downloading daily.cvd [  4%]

Since ClamAV is not the latest version, there is warning information. You can ignore or upgrade the latest version. Virus libraries need to be upgraded regularly, such as the next day when I upgrade them

6: ClamAV usage

You can use / opt/clamav/bin/clamscan -h to view the corresponding help information

· Scanning all users'home directories uses clamscan-r/home

· Scanning all files on your computer and displaying the results of scanning all files, use clamscan-r/

· Scanning all the files on your computer and displaying the scanning results of the files in question, use clamscan-r--bell-i/

Execute the following command to scan all files under the root directory. As follows: 56 files were infected. Basically it's Linux.Trojan.Agent and Linux.Backdoor.Gates and so on.

/opt/clamav/bin/clamscan -r --bell -i

Posted by allenmak on Sun, 14 Apr 2019 14:51:32 -0700

Hot Keywords

©2024 Programmer Group