ClamAV没有正常运行。可修复并扫描系统
1. 修复ClamAV问题
# 停止ClamAV服务systemctl stop clamav-freshclamsystemctl stop clamav-daemon
# 检查是否有锁定文件ls -la /var/log/clamav/freshclam.logps aux | grep freshclampkill -9 freshclam
# 删除锁定文件并重新配置rm -f /var/log/clamav/freshclam.logrm -f /var/lib/clamav/freshclam.dat
# 创建必要的目录和权限mkdir -p /var/log/clamav /var/lib/clamavchown -R clamav:clamav /var/log/clamav /var/lib/clamavchmod 755 /var/log/clamav /var/lib/clamav
# 更新数据库freshclam --verbose
# 如果上述失败,手动下载病毒库cd /var/lib/clamavrm -f *wget https://database.clamav.net/main.cvdwget https://database.clamav.net/daily.cvdwget https://database.clamav.net/bytecode.cvd
# 启动服务systemctl start clamav-freshclamsystemctl start clamav-daemon
2. 快速木马检测(不依赖ClamAV)
方法1:使用LMD(Linux Malware Detect)
# 安装LMDcd /tmpwget https://www.rfxn.com/downloads/maldetect-current.tar.gztar -xzf maldetect-current.tar.gzcd maldetect-*./install.sh
# 更新特征库maldet --update
# 扫描Joomla目录maldet -a /var/www/html
方法2:手动查找常用后门模式
#!/bin/bashecho "=== 手动扫描Joomla恶意代码 ==="
# 查找编码后的恶意代码echo "1. 查找base64编码内容:"find /var/www/html -name "*.php" -type f -exec grep -l "base64_decode" {} \; | head -20
echo -e "\n2. 查找eval函数:"find /var/www/html -name "*.php" -type f -exec grep -l "eval(" {} \; | head -20
echo -e "\n3. 查找异常函数调用:"find /var/www/html -name "*.php" -type f -exec grep -l "system\|exec\|shell_exec\|passthru\|popen\|proc_open" {} \; | head -20
echo -e "\n4. 查找邮件相关函数:"find /var/www/html -name "*.php" -type f -exec grep -l "mail\|fsockopen\|curl_exec" {} \; | head -20
echo -e "\n5. 查找最近修改的文件:"find /var/www/html -name "*.php" -type f -mtime -7 -ls | head -20
echo -e "\n6. 查找异常文件大小:"find /var/www/html -name "*.php" -type f -size +100k -ls | head -10
3. 使用专门的安全工具
安装和使用Wordfence CLI(也支持Joomla检测):
# 安装Wordfence CLIwget https://github.com/wordfence/wordfence-cli/releases/download/v1.0.15/wordfence-cli_1.0.15_linux_amd64.tar.gztar -xzf wordfence-cli_1.0.15_linux_amd64.tar.gzcd wordfence-cli_1.0.15_linux_amd64
# 扫描Joomla./wordfence scan --path /var/www/html --output-format json
使用PHP恶意代码扫描器:
# 创建PHP恶意代码扫描脚本cat > /tmp/scan_php_malware.php << 'EOF'<?php$suspicious_patterns = ['/eval\s*\(\s*base64_decode\s*\(\s*["\']/i','/\@?\$[a-z0-9_]+\s*\(\s*["\']/i','/preg_replace\s*\(\s*["\']\/[^\/]+\/[eimsu]*["\']/i','/assert\s*\(\s*["\']/i','/create_function\s*\(\s*["\']/i','/\$\w+\s*\(\s*\$\w+\s*\)/i','/[\s{](system|shell_exec|exec|passthru|popen|proc_open)\s*\(/i','/\$(?:GET|POST|REQUEST|COOKIE|SESSION|SERVER)\[/i',];
function scan_directory($dir) {global $suspicious_patterns;$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir));$suspicious_files = [];foreach ($iterator as $file) {if ($file->isFile() && preg_match('/\.php$/i', $file->getFilename())) {$content = @file_get_contents($file->getPathname());if ($content) {foreach ($suspicious_patterns as $pattern) {if (preg_match($pattern, $content)) {$suspicious_files[] = $file->getPathname();break;}}}}}return $suspicious_files;}
if (isset($argv[1])) {$dir = $argv[1];if (is_dir($dir)) {$files = scan_directory($dir);echo "找到可疑文件:\n";foreach ($files as $file) {echo "$file\n";}}}EOF
# 运行扫描php /tmp/scan_php_malware.php /var/www/html
4. 检查常见Joomla后门位置
#!/bin/bashecho "=== 检查Joomla特定后门位置 ==="
# 1. 检查/templates目录中的异常文件echo "检查模板文件:"find /var/www/html/templates -name "*.php" -exec grep -l "eval\|base64\|gzinflate" {} \;
# 2. 检查/modules目录echo -e "\n检查模块文件:"find /var/www/html/modules -name "*.php" -size +50k
# 3. 检查/components目录echo -e "\n检查组件文件:"find /var/www/html/components -name "*.php" -exec grep -l "\$_REQUEST\|\$_GET" {} \; | head -10
# 4. 检查/plugins目录echo -e "\n检查插件文件:"find /var/www/html/plugins -name "*.php" -mtime -30
# 5. 检查根目录下的异常文件echo -e "\n检查根目录异常文件:"ls -la /var/www/html/*.php 2>/dev/nullls -la /var/www/html/.*.php 2>/dev/null
# 6. 检查.htaccess文件echo -e "\n检查.htaccess文件:"if [ -f /var/www/html/.htaccess ]; thengrep -E "RewriteRule.*php|SetHandler|AddHandler" /var/www/html/.htaccessfi
5. 立即停止恶意邮件发送
# 停止exim4服务systemctl stop exim4
# 或禁用服务systemctl disable exim4
# 阻止所有对外发信(临时)iptables -A OUTPUT -p tcp --dport 25 -j DROPiptables -A OUTPUT -p tcp --dport 465 -j DROPiptables -A OUTPUT -p tcp --dport 587 -j DROP
6. 检查运行中的恶意进程
# 查看所有PHP进程ps aux | grep php
# 查看内存占用高的进程top -b -n 1 | head -20
# 查看网络连接netstat -tunap | grep -E "(php|exim|mail)"
# 检查cron任务中是否有恶意脚本crontab -lls -la /etc/cron*
7. 创建隔离和清理脚本
#!/bin/bash# 创建隔离目录QUARANTINE="/tmp/quarantine_$(date +%Y%m%d_%H%M%S)"mkdir -p $QUARANTINE
# 定义可疑文件列表SUSPICIOUS_FILES=()
# 查找并隔离可疑文件echo "开始隔离可疑文件..."
# 1. 隔离包含base64_decode的文件find /var/www/html -name "*.php" -type f -exec grep -l "base64_decode.*@eval\|eval.*base64_decode" {} \; | while read file; doecho "隔离: $file"cp "$file" "$QUARANTINE/"# 可选:清空文件内容但保留文件echo "" > "$file"done
# 2. 隔离最近创建的可执行文件find /var/www/html -name "*.php" -type f -mtime -1 | while read file; doecho "隔离最近修改: $file"cp "$file" "$QUARANTINE/"done
# 3. 检查文件权限并修复find /var/www/html -type f -name "*.php" -perm /022 -exec chmod 644 {} \;
echo "隔离完成,文件保存在: $QUARANTINE"echo "隔离文件列表:"ls -la $QUARANTINE/
8. 推荐的综合解决方案
如果上述方法复杂,建议采用以下快速方案:
方案A:使用在线扫描器
# 上传网站到在线扫描器(需要外网)
# 1. Sucuri SiteCheck: https://sitecheck.sucuri.net/
# 2. VirusTotal: https://www.virustotal.com/
# 3. Quttera: https://quttera.com/
方案B:专业清理步骤
tar czf /backup/joomla_infected_$(date +%Y%m%d).tar.gz /var/www/html
下载干净Joomla:
cd /tmp
wget https://downloads.joomla.org/cms/joomla4/latest/Joomla_4.x-Stable-Full_Package.zip
unzip Joomla_4.x-Stable-Full_Package.zip
只替换核心文件:
# 保留配置文件和上传目录
cp /var/www/html/configuration.php /tmp/
cp -r /var/www/html/images /tmp/
# 删除所有文件
rm -rf /var/www/html/*
# 复制干净文件
cp -r /tmp/joomla/* /var/www/html/
# 恢复配置和上传文件
cp /tmp/configuration.php /var/www/html/
cp -r /tmp/images /var/www/html/
更新所有扩展:
# 手动更新所有第三方扩展
方案C:使用安全插件
安装Joomla安全扩展:
- 登录Joomla后台
- 进入扩展管理
- 搜索并安装:
- Akeeba Admin Tools
- RSFirewall
- JHackGuard
立即执行的命令(按顺序执行):
# 1. 立即停止邮件发送systemctl stop exim4iptables -A OUTPUT -p tcp --dport 25 -j DROP
# 2. 备份当前状态tar czf /root/joomla_backup_emergency_$(date +%Y%m%d_%H%M%S).tar.gz /var/www/html
# 3. 快速扫描恶意文件find /var/www/html -name "*.php" -type f -exec grep -l "base64_decode.*eval\|mail.*fsockopen" {} \; | head -20
# 4. 检查运行进程ps aux | grep -E "php|mail|exim" | grep -v grep
# 5. 检查数据库用户mysql -u root -p -e "USE joomla_db; SELECT id, username, email FROM #__users ORDER BY registerDate DESC LIMIT 10;"