linux下使用clamav排查病毒

clamav

wget http://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz

### Install
yum -y install gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel llvm-devel libxml2 libxml2-devel libcurl-devel
tar zxf clamav-0.102.0.tar.gz
cd clamav-0.102.0
./configure --prefix=/opt/clamav
make && make install

### Setting
groupadd clamav
useradd clamav -g clamav -s /sbin/nologin
mkdir /opt/clamav/logs
mkdir /opt/clamav/share/clamav
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
chown -R clamav.clamav /opt/clamav/logs
chown clamav.clamav /opt/clamav/share/clamav

cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf
cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf

sed -i 's/^Example/#Example/g' /opt/clamav/etc/freshclam.conf
sed -i 's/^Example/#Example/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#LogFile /tmp/clamd.log/LogFile /opt/clamav/logs/clamd.log/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#PidFile /var/run/clamd.pid/PidFile /opt/clamav/updata/clamd.pid/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#DatabaseDirectory /var/lib/clamav/DatabaseDirectory /opt/clamav/updata/g' /opt/clamav/etc/clamd.conf

# cd ..
## 病毒库的压缩包clamav.virus_data.tar.gz，解压这个压缩包后，得到一个calmav目录，目录里面是官网上下载的病毒库
# tar zxf clamav.virus_data.tar.gz
# cp clamav/* /opt/clamav/share/clamav/

## 更新病毒库

/opt/clamav/bin/freshclam

### 添加定时扫描任务
mkdir /tmp/virus_collection
echo "#scan virus" >>/etc/crontab
echo '30 4 5 * * /opt/clamav/bin/clamscan -r --move=/tmp/virus_collection / >/dev/null 2>&1' >>/etc/crontab

# 执行扫描

/opt/clamav/bin/clamscan -r /data

# 把病毒文件移动到/tmp/virus

/opt/clamav/bin/clamscan --no-summary -ri --move=/tmp/virus /data

# 检查用户 home 目录并移除感染的文件

clamscan -r --remove /home/USER

基本安全排查

# 查看登录信息
vim /var/log/auth.log # 登录日志，可以查看到尝试登陆的用户名和ip等信息
last -f /var/log/btmp # 记录所有失败的登陆日志
last -u <userName>
last -f /var/log/wtmp # 登陆Ip，登陆时长

# 当前谁在线等信息
w
users

# 查看所有用户
vim /etc/passwd

history # 操作历史，登陆用户查看这个用户的操作历史

# 查看运行的进程
pstree -a
ps aux

# 查看网络情况
netstat -ntulp  


# CPU和内存情况
free -m  
uptime  
top  
htop

for user in $(cat /etc/passwd | cut -f1 -d:); do crontab -l -u $user; done # 查看每个用户的定时任务


# 系统日志和内核消息
$ dmesg  
$ less /var/log/messages  
$ less /var/log/secure  
$ less /var/log/auth