Last night, I received a text message and e-mail from Alibaba cloud saying that the server was poisoned. The contents are as follows:
It has been detected that your cloud server (IP) has malicious contracting behavior. In order to avoid affecting the normal use of your server, please pay attention to it and deal with it as soon as possible. You need to check your security risks as soon as possible. At present, the system will not punish your machine, but you must pay attention to it.
I was afraid of being punished (near the little black house), so I quickly logged in to the server and found nothing unusual. However, I found that the machine had been running naked all the time. I quickly installed a firewall. Everything was normal. Until I received Alibaba cloud’s SMS and e-mail this afternoon, the server could not log in at all, and the CPU and bandwidth were praised. It was very slow, After waiting for a while, I still can’t enter. I directly manage the background and restart the machine. After restarting, I quickly log in and open the firewall. Only specific IP access is allowed and all other access is cut off.
Install anti-virus software ClamAV
ClamAV is a virus checking software under the command line, because it does not take anti-virus as the main function. By default, it can only detect the virus in your computer, but it cannot be removed. At most, delete the file. ClamAV can work on many platforms, but a few cannot be supported, which depends on the popularity of the platform you use. In addition, it is mainly to protect some windows viruses and Trojan horse programs. In addition, this is a server-oriented software.
Download the ClamAV installation package
tar xvzf zlib-1.2.7.tar.gz cd zlib-1.2.7 ./configure make && make install
Add user group ClamAV and group member ClamAV
[[email protected] zlib-1.2.7]# groupadd clamav [[email protected] zlib-1.2.7]# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
[[email protected] tmp]# tar xvzf clamav-0.99.2.tar.gz [[email protected] tmp]# cd clamav-0.99.2 [[email protected] clamav-0.99.2]# ./configure --prefix=/opt/clamav --disable-clamav [[email protected] clamav-0.99.2]# make [[email protected] clamav-0.99.2]# make install
1: Create directory
[[email protected] clamav-0.99.2]# mkdir /opt/clamav/logs [[email protected] clamav-0.99.2]# mkdir /opt/clamav/updata
2: Create file
[[email protected] clamav-0.99.2]# touch /opt/clamav/logs/freshclam.log [[email protected] clamav-0.99.2]# touch /opt/clamav/logs/clamd.log [[email protected] clamav-0.99.2]# cd /opt/clamav/logs [[email protected] clamav-0.99.2]# cd logs [[email protected] clamav-0.99.2]# ls clamd.log freshclam.log [[email protected] logs]# ls -lrt total 0 -rw-r--r--. 1 root root 0 Aug 21 22:10 freshclam.log -rw-r--r--. 1 root root 0 Aug 21 22:10 clamd.log
3: Modify owner
[[email protected] logs]# chown clamav:clamav clamd.log [[email protected] logs]# chown clamav:clamav freshclam.log [[email protected] logs]# ls -lrt total 0 -rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 freshclam.log -rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 clamd.log [[email protected] logs]#
4: Modify profile
[email protected]: vim /opt/clamav/etc/clamd.conf
#Example comment out this line. Line 8 Logfile / logs / clamd.log delete the previous comments and change the directory to / opt / ClamAV / logs / clamd.log Pidfile / opt / ClamAV / updata / clamd.pid delete the previous comments and change the path to / opt / ClamAV / updata / clamd.pid Databasedirectory / opt / ClamAV / updata ditto
[email protected]:/opt/clamav# vim
Comment out the example line. Otherwise, the following errors may occur when updating the anti-virus database
ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf
5: Upgrade virus library
[[email protected] etc]# /opt/clamav/bin/freshclam ERROR: Can't change dir to /opt/clamav/share/clamav
If the above error occurs, you can directly create a folder and authorize it to the ClamAV user.
[[email protected] etc]# mkdir -p /opt/clamav/share/clamav [[email protected] etc]# /opt/clamav/etc# chown clamav:clamav /opt/clamav/share/clamav
Continue updating (very slow)
[[email protected]:/opt/clamav/etc]# /opt/clamav/bin/freshclam ClamAV update process started at Thu Mar 9 18:33:03 2017 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.97.6 Recommended version: 0.99.2 DON'T PANIC! Read http://www.clamav.net/support/faq Downloading main.cvd [100%] main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Downloading daily.cvd [ 4%]
Since ClamAV is not the latest version, there is an alarm message. You can ignore or upgrade the latest version. The virus library needs to be upgraded regularly. For example, I upgrade the virus library the next day
6: ClamAV use
You can use / opt / ClamAV / bin / clamscan – h to view the corresponding help information
·Scan the home directory of all users and use clamscan – R / home
·To scan all files on your computer and display the scanning results of all files, use clamscan – R/
·To scan all files on your computer and display the scan results of the problematic files, use clamscan – R — bell – I/
Execute the following command to scan all files under the root directory. As follows: 56 files were infected. Basically, they are linux.trojan.agent and linux.backdoor.gates.
/opt/clamav/bin/clamscan -r –bell -i
[email protected]:/opt/clamav/etc# /opt/clamav/bin/clamscan -r /bin --bell -i / /bin/DDosClient: Unix.Trojan.Flooder-27 FOUND /bin/ss: Unix.Trojan.Agent-37008 FOUND
Manually delete virus:
[[email protected]:/bin]# ls DDos* [[email protected]:/bin]# ls DDos* [[email protected]:/bin]# rm DDosClient