Completely delete scanned harmful programs with one command

One command to completely delete the scanned harmful programs

Author: Tian Yi (formyz
)

An NFS
server is shared by multiple Web
projects
. These directories include PHP
programs, pictures, HTML
pages, documents and attachments uploaded by users, etc. Because some Web
frameworks are old and do not perform strict security checks on uploaded files, although this NFS
server is located in a protected internal network, a large number of malicious files are still uploaded by people with ulterior motives. The programmer was strongly requested to update the program (Discuz
), and the reply was that the update was too difficult to handle programmatically. From the system management level, the temporary measure is just to install the shadu
software, scan the shared directory, and then delete these harmful files (treating the symptoms but not the root cause).

Shared storage NFS
is deployed on Centos 7.9
, with a storage space of 44T
and a usage space of 4.5T
(as shown in the figure below). Due to relatively lax management, there is a large amount of spam information. Clean and archive.

Based on past experience and usage habits, we decided to deploy the open source, well-known security software Clavam
on Centos 7.9
, the host system where the NFS
service is located. Its official promotion is "
ClamAV

®
is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats
”–ClamAV®
is an open-source anti-Virtual
engine for detecting special **loy***iMuma
, viruses, malware and other malicious threats. I don’t know when the logo at the bottom of the official website was replaced by the network equipment manufacturer CISCO
. Even so, Clamav
It is still open source and free and can be used without restrictions. On Centos 7.9
, there are at least 3
ways to deploy and install Clamav
: RPM
binary package, binary source code and Online package management tool "yum"
, as shown in the figure below.

The easiest and most convenient way to deploy and install Clamav under Centos 7.9

is "yum install
". Try executing "yum install clamav
" on the system command line and execute The process and output are as follows.

Unfortunately, Clamav

is not included in the software repository and cannot be installed correctly on the system. Try adding an "epel-release

" additional software repository again, and execute the command "yum install epel-release
". Then continue to execute "yum list clamav
",
As can be seen from the output, the attached warehouse list already contains the software package "clamav
", as shown in the figure below.

Execute the command "yum install clamav

" for formal installation. In addition to the main software Clamav

, there are several other dependent packages installed together, as shown in the figure below.

Compared with installing from source packages, there is no need to install the required dependencies one by one based on the error output during the installation process, which greatly improves efficiency.

The bingdu

library of Clamav

that is installed and deployed for the first time is relatively old and lagging. The bingdu
signature library needs to be updated under the system command line to reduce the omission of scanning identification. The command to execute the bingdu
library update is "freshclam
" without any parameters or options. The execution process and output are shown in the figure below.

The

Bingdu

library is already the latest. Before officially executing the scan, in order to prevent the SSH

remote terminal from being disconnected and causing the scan to be interrupted, it is strongly recommended to perform the scan on "screen
". If you execute the command "screen
" and it prompts that the command does not exist, use "yum install screen
" to install it. After correctly executing the command "screen
", the system immediately returns to the Shell
prompt. At this time, formally enter the following command to fully scan the suspected problematic shared directory and record the output to the log file "/var/ log/clamscan.log”
.

clamscan -r /data -l /var/log/clamscan.log

After a long wait, it took me many days to complete this scan. Check the scan log file to see if there are any malicious files. Use the following command:

[root@nas wenku]# grep FOUND /var/log/clamscan.log

/data/cu/attachment/forum/201305/29/22155372jcjxtt0vfx2uk2.zip: Win.Trojan.IRCBot-785 FOUND

/data/cu/attachment/forum/201501/05/155857clzd9d10bwdpl3s0.zip: Unix.Trojan.Agent-37008 FOUND

/data/cu/attachment/forum/201501/10/2110526a6afrfrzvas2h25.zip: Win.Tool.Chopper-9839749-0 FOUND

/data/cu/attachment/forum/201501/10/210932qsy27wsnwazswagr.zip: Win.Tool.Chopper-9839749-0 FOUND

/data/cu/attachment/forum/201405/18/082512hhjnzummmnuu4i8i.zip: Unix.Dropper.Mirai-7338045-0 FOUND

/data/cu/attachment/forum/201205/11/084024426448y1bk6jmmb9.zip: Win.Trojan.SdBot-13589 FOUND

/data/cu/attachment/forum/201206/05/092231faffjiak6z3gkzqv.zip: Win.Malware.Aa93a15d-6745814-0 FOUND

/data/kong/blog/attach/attachment/201603/9/30229789_1457535724sulu.jpg: Win.Trojan.Generic-6584387-0 FOUND

……………….
Omit more………………………..

/data/wenku/App_Data/Documents/2012-03-10/7da3d2c7-6d16-44c2-aab1-e8a317716c15.txt: Dos.Trojan.Munga-4 FOUND

/data/wenku/App_Data/Documents/2014-02-17/4ed74e66-54d1-46b5-8a41-4915ced095a5.ppt: Xls.Trojan.Agent-36856 FOUND

/data/wenku/App_Data/Documents/2014-02-23/c5c1dfa6-9f04-4e53-b418-4d711ce5408d.ppt: Win.Exploit.Fnstenv_mov-1 FOUND

/data/wenku/App_Data/Documents/2014-07-15/ae2dfca5-ddef-4c41-8812-bcc5543415e1.txt: Legacy.Trojan.Agent-34669 FOUND

There are a total of 500
multiple records with the keyword "FOUND
", and the distribution path is irregular. These scattered malicious files cannot be processed by deleting the directory. If you manually delete one by one according to the absolute path, it is inefficient and error-prone; if there are thousands of malicious files distributed in this way, it is basically impossible to delete them one by one manually.

The command "clamscan
" itself has the option "--remove
" to directly delete the scanned malicious files, but this has not been confirmed by relevant personnel and may cause controversy. Therefore, these problematic malicious files need to be presented to relevant personnel for confirmation. Only after there are no objections can they be moved or deleted.

Start from the log file scanned by Clamav
, and use the tool to extract the full path of the malicious file. Use the following instructions.

[root@nas wenku]#grep FOUND /var/log/clamscan.log |awk -F[:] ‘{print $1}’

/data/wenku/App_Data/Documents/2016-04-11/8fe8d01e-e752-4e52-80df-f202374b2b6d.doc

/data/wenku/App_Data/Documents/2016-04-11/03a14021-279f-45cd-83c5-b63076032c9e.doc

/data/wenku/App_Data/Documents/2016-04-11/c45ddc01-ec3d-4a54-b674-8c2082d76ce3.doc

/data/cu/attachment/forum/201305/29/22155372jcjxtt0vfx2uk2.zip

/data/cu/attachment/forum/201501/05/155857clzd9d10bwdpl3s0.zip

/data/cu/attachment/forum/201501/10/2110526a6afrfrzvas2h25.zip

/data/cu/attachment/forum/201501/10/210932qsy27wsnwazswagr.zip

/data/cu/attachment/forum/201405/18/082512hhjnzummmnuu4i8i.zip

/data/cu/attachment/forum/201205/11/084024426448y1bk6jmmb9.zip

/data/cu/attachment/forum/201206/05/092231faffjiak6z3gkzqv.zip

………………
Omit some
…………………………

Compared with the original log, the colon ":
" and all subsequent fields are removed. After this command, add a pipeline and pass parameters with "xargs
" to clean up all the scanned malicious files, no matter what path they are distributed to. The complete command is as follows.

grep FOUND /var/log/clamscan.log |awk -F[:] ‘{print $1}’| xargs rm -rf

After execution, randomly find the full paths of several scanned malicious files. The files should not exist (
As shown in the figure below)
, which means the script is correct and is the result we expected.

The above is the detailed content of Completely delete scanned harmful programs with one command. For more information, please follow other related articles on the PHP Chinese website!