rkhunter обнаружил 6 возможных руткитов и как их удалить

Question 1

привет, я устанавливаю rkhunter в первый раз, и когда я запустил rkhunter -c, в результате получилось 6 возможных руткитов, мне интересно, опасны ли эти руткиты и как их удалить. ps: мой компьютер имеет двойную загрузку linux и windows

, если необходимо загрузить полный файл журнала, скажите мне.

[18:08:13] Info: Starting test name 'trojans'
[18:08:13] Performing trojan specific checks
[18:08:13]   Checking for enabled inetd services             [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[18:08:13]   Checking for enabled xinetd services            [ Skipped ]
[18:08:13] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[18:08:13]   Checking for Apache backdoor                    [ Skipped ]
[18:08:13] Info: Check skipped - no Apache module or configuration directories found.
[18:08:13]
[18:08:13] Info: Starting test name 'os_specific'
[18:08:13]   Performing Linux specific checks
[18:08:13]     Checking loaded kernel modules                [ OK ]
[18:08:13]     Checking kernel module names                  [ OK ]
[18:12:48]
[18:12:51]   Checking for promiscuous interfaces             [ None found ]
[18:12:51]
[18:12:51] Info: Test 'packet_cap_apps' disabled at users request.
[18:12:51]
[18:12:51] Info: Starting test name 'local_host'
[18:12:51] Checking the local host...
[18:12:51]
[18:12:51] Info: Starting test name 'startup_files'
[18:12:51] Performing system boot checks
[18:12:51]   Checking for local host name                    [ Found ]
[18:12:51]
[18:12:51] Info: Starting test name 'startup_malware'
[18:12:51]   Checking for system startup files               [ Found ]
[18:12:54]   Checking system startup files for malware       [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_accounts'
[18:12:54] Performing group and account checks
[18:12:54]   Checking for passwd file                        [ Found ]
[18:12:54] Info: Found password file: /etc/passwd
[18:12:54]   Checking for root equivalent (UID 0) accounts   [ None found ]
[18:12:54] Info: Found shadow file: /etc/shadow
[18:12:54]   Checking for passwordless accounts              [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'passwd_changes'
[18:12:54]   Checking for passwd file changes                [ None found ]
[18:12:54]
[18:12:54] Info: Starting test name 'group_changes'
[18:12:54]   Checking for group file changes                 [ None found ]
[18:12:54]   Checking root account shell history files       [ OK ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs'
[18:12:54] Performing system configuration file checks
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_ssh'
[18:12:54]   Checking for an SSH configuration file          [ Not found ]
[18:12:54]
[18:12:54] Info: Starting test name 'system_configs_syslog'
[18:12:54]   Checking for a running system logging daemon    [ Found ]
[18:12:54] Info: A running 'rsyslog' daemon has been found.
[18:12:54] Info: A running 'systemd-journald' daemon has been found.
[18:12:54] Info: Found an rsyslog configuration file: /etc/rsyslog.conf
[18:12:54] Info: Found a systemd configuration file: /etc/systemd/journald.conf
[18:12:54]   Checking for a system logging configuration file [ Found ]
[18:12:54]   Checking if syslog remote logging is allowed    [ Not allowed ]
[18:12:54]
[18:12:54] Info: Starting test name 'filesystem'
[18:12:54] Performing filesystem checks
[18:12:54] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:12:58]   Checking /dev for suspicious file types         [ Warning ]
[18:12:58] Warning: Suspicious file types found in /dev:
[18:12:58]          /dev/shm/sem.CiscoAcNamedEventOpenDNS: data
[18:12:58]          /dev/shm/sem.CiscoAcNamedEventNVM: data
[18:12:58]          /dev/shm/sem.CiscoAcMemoryLock: data
[18:12:58]          /dev/shm/tmp: data
[18:12:58]          /dev/shm/PostgreSQL.1878213102: data
[18:12:58]   Checking for hidden files and directories       [ Warning ]
[18:12:58] Warning: Hidden directory found: /etc/.java
[18:12:58]   Checking for missing log files                  [ Skipped ]
[18:12:58] Info: No missing log file names configured.
[18:12:58]   Checking for empty log files                    [ Skipped ]
[18:12:58] Info: No empty log file names configured.
[18:13:20] Info: Test 'apps' disabled at users request.
[18:13:20] System checks summary
[18:13:20] =====================
[18:13:20] File properties checks...
[18:13:20] Files checked: 145
[18:13:20] Suspect files: 1
[18:13:20] Rootkit checks...
[18:13:20] Rootkits checked : 480
[18:13:20] Possible rootkits: 7
[18:13:20] Applications checks...
[18:13:20] All checks skipped

Question 2

Вероятно, это не руткиты, а просто нераспознанные rkhunter файлы, ложные срабатывания. Чтобы быть в безопасности, вы можете удалить то, что вы не используете.

В случае файлов cisco:

/dev/shm/sem.CiscoAcNamedEventOpenDNS: данные
/dev/shm/sem.CiscoAcNamedEventNVM: данные
/dev/shm/sem.CiscoAcMemoryLock: data

похоже, это файлы, используемые предыдущей установкой cisco anyconnect.

Проверьте, запущен ли какой-либо экземпляр, например:

ps -ef|grep vpn

Возможно, вы увидите запущенный процесс:

root        5968       1  0 ago14 ?        00:00:00  /opt/cisco/anyconnect/bin/vpnagentd

Его можно удалить, запустив:

/opt/cisco/vpn/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/vpn_uninstall.sh
/opt/cisco/anyconnect/bin/anyconnect_uninstall.sh

vejeta · Answer 1 · 15 August 2020 в 15:00