如何從Linux服務器掃描並刪除惡意軟件

首先檢查異常網絡連接、未知進程、可疑用戶或計劃任務、系統文件修改及日誌異常；2. 安裝並運行ClamAV掃描惡意軟件，使用rkhunter和chkrootkit檢測rootkit；3. 對可疑文件使用file、strings、stat等命令分析，並通過VirusTotal核驗，檢查進程的文件和端口占用；4. 終止惡意進程，刪除惡意文件和計劃任務，更新系統，修改密碼，關閉不必要的服務和端口，啟用自動更新，配置SSH密鑰登錄並部署fail2ban；5. 若係統嚴重感染，尤其是發現rootkit，應備份已掃描的必要數據後重裝系統以確保徹底清除威脅。

If you suspect your Linux server has been compromised or is running malicious software, acting quickly is essential. Unlike desktop systems, Linux servers often run critical services, making malware detection and removal a high-priority task. Here's how to scan for and remove malware effectively.

1. Check for Signs of Compromise

Before running scans, look for common indicators of malware or unauthorized access:

• Unusual network activity : Use netstat -tulnp or ss -tulnp to list active connections and identify suspicious outbound connections.
• Unknown processes : Run ps auxf or top to review running processes. Look for unfamiliar or obfuscated names.
• Unexpected users or cron jobs : Check /etc/passwd for unknown users and review cron jobs with crontab -l and ls /etc/cron.* .
• Modified system binaries : Tools like rkhunter and chkrootkit can detect replaced binaries (eg, ls , ps ) used by rootkits.
• Log anomalies : Review /var/log/auth.log (or /var/log/secure on RHEL) for failed login attempts or unexpected root logins.

2. Install and Run Malware Scanning Tools

Use trusted open-source tools to scan your system. Install them from official repositories.

ClamAV – General Malware Scanner

ClamAV is widely used for detecting malware, trojans, and phishing content.

 # Install ClamAV
sudo apt update && sudo apt install clamav clamav-daemon -y # Debian/Ubuntu
sudo yum install epel-release && sudo yum install clamav # RHEL/CentOS

# Update virus definitions
sudo freshclam

# Scan the entire system (exclude /proc, /sys, /dev to avoid errors)
sudo clamscan -r --exclude-dir=^/proc --exclude_dir=^/sys --exclude_dir=^/dev /

# To remove infected files automatically (use with caution)
sudo clamscan -r --remove --exclude_dir=^/proc --exclude_dir=^/sys --exclude_dir=^/dev /

Note: ClamAV is more effective for Windows malware on file servers, but can still catch known Linux threats.

rkhunter – Rootkit Detection

Rootkits hide deep in the system. rkhunter checks for known rootkit signatures and system anomalies.

 # Install
sudo apt install rkhunter # Debian/Ubuntu
sudo yum install rkhunter # RHEL/CentOS

# Update and run test
sudo rkhunter --update
sudo rkhunter --check

# Review the log at /var/log/rkhunter.log

chkrootkit – Lightweight Rootkit Scanner

Another tool for detecting rootkits.

 # Install and run
sudo apt install chkrootkit
sudo chkrootkit

3. Analyze Suspicious Files and Processes

If a scan or manual check finds something suspicious:

• Identify the file : Use file /path/to/suspicious to see what type it is.
• Check hash against known malware : Upload suspicious files (if safe) to VirusTotal or use clamscan on them.
• Inspect with strings : Run strings /path/to/file | head -20 to see readable text—can reveal C2 servers or commands.
• Check file origin : Use stat and ls -la to see creation/modification times and ownership.
• Search for related files : Use find / -name "*suspicious_pattern*" 2>/dev/null .

If a process is suspicious:

• Use lsof -p <PID> to see what files and ports it's using.
• Use ps aux | grep <PID> to see command line arguments.

4. Remove Malware and Harden the System

Once malware is identified:

• Kill malicious processes :

   sudo kill -9 <PID>

• Delete malicious files :

   sudo rm -f /path/to/malware

• Remove malicious cron jobs or startup entries :
  • Edit crontab -e or check /etc/cron.d/
  • Check /etc/rc.local , systemd services ( systemctl list-unit-files ), and init scripts.

Then, take steps to prevent reinfection:

• Update the system :

   sudo apt upgrade && sudo apt autoremove # Debian/Ubuntu
  sudo yum update # RHEL/CentOS

• Change passwords for root and user accounts.
• Disable unused services and close unnecessary firewall ports.
• Enable automatic security updates where possible.
• Use SSH key authentication and disable root login over SSH.
• Install fail2ban to block brute-force attempts.

---

5. Consider Rebuilding (Best Practice for Severe Infections)

If you're unsure whether the system is clean—especially if a rootkit was detected—the safest option is to:

• Back up only essential data (after scanning it).
• Reinstall the OS from scratch.
• Restore services and data with caution.

A compromised system may have hidden backdoors that scanners miss.

---

Scanning and cleaning a Linux server takes care and verification. Use multiple tools, validate findings, and prioritize security hardening. When in doubt, rebuild.

以上是如何從Linux服務器掃描並刪除惡意軟件的詳細內容。更多資訊請關注PHP中文網其他相關文章！