1 扫描文件是否包含恶意代码
2 根据user或path记录对文件实时监控creation/modify/move operations(默认包含这几个操作,也可以监控其他文件操作,需要的话自行修改/usr/local/maldetect/maldet)).(需要inotify支持,kernels 2.6.13+ and CentOS/RHEL 5 by default)
官网:
下载:
安装很简单,解压后修改cron.daily文件,安装后该文件会复制到/etc/cron.daily/目录下,并改名为maldet,每天4点运行。
根据需要,可以添加到crontab,每小时运行。
修改文件里的内容:
- #!/bin/bash
- # clear quarantine/session/tmp data every 14 days
- /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
- /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
- /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
- # check for new definition set
- /usr/local/maldetect/maldet -u >> /dev/null 2>&1
- # if were running inotify monitoring, send daily hit summary
- if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
- /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
- #注意这里,如果你开着monitor,将不会运行下面的命令
- else
- /usr/local/maldetect/maldet -r /opt/html 2 >> /dev/null 2>&1
- fi
主要修改红色部分,-r 要扫描的目录 2 2天内修改过的文件,详细参数查看
/usr/local/maldetect/maldet --help
-a, --scan-all PATH -a 扫描所有文件,不考虑修改时间
Scan all files in path
建议先对所有文件扫描,然后再对2天以内文件进行定期扫描。
可以编辑该脚本进行定制 /usr/local/maldetect/maldet
另外,修改配置文件/usr/local/maldetect/conf.maldet
email_alert=1 打开邮件报警,扫描到恶意代码时发送邮件报警
quar_hits=1 隔离扫描到的包含恶意代码的文件。
quar_clean=1 清除恶意代码
以下为手动运行扫描进行测试:
- /usr/local/maldetect/maldet -r /opt/ 2
- Linux Malware Detect v1.3.7
- (C) 2002-2010, R-fx Networks
- (C) 2010, Ryan MacDonald
- inotifywait (C) 2007, Rohan McGovern
- This program may be freely redistributed under the terms of the GNU GPL v2
- maldet(19159): {scan} signatures loaded: 5269 (3624 MD5 / 1645 HEX)
- maldet(19159): {scan} building file list for /opt/ of new/modified files from last 2 days, this might take awhile...
- maldet(19159): {scan} file list completed, scanning 5 files...
- maldet(19159): {scan} 5/5 files scanned: 2 hits 0 cleaned
- maldet(19159): {scan} scan completed on /opt/: files 5, malware hits 3, cleaned hits 0
- maldet(19159): {scan} scan report saved 'maldet --report 010611-1604.19159'
- maldet(19159): {scan} quarantine disabled; set quar_hits=1 in conf.maldet or run 'maldet -q 010611-1604.19159' to quarantine results
可以看到扫描到了3个包含恶意代码的文件。
另:关于实时监控:
The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:
关于在64位服务器上:
{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
下载inotify-tool,编译安装
cd /usr/local/maldetect/inotify
tar -xvzf inotify-tools-3.14.tar.gz
./configure
make
make install
删除maldetect自带的inotifywait
将编译安装的inotifywait做软连接到这里
- ln -s /usr/local/bin/inotifywait /usr/local/maldetect/inotify/
ldd /usr/local/maldetect/inotify/inotifywait
找不到libinotifytools.so.0
ln -s /usr/local/lib/libinotifytools.so.0 /usr/lib64/
OK,该问题解决
- 以下为我监控/opt目录的测试
- /opt/123 CREATE 06 Jan 15:49:45
- /opt/lighttpd-1.4.28/m4/111111 CREATE 06 Jan 15:50:35
阅读(4911) | 评论(0) | 转发(0) |