如何识别病毒或进程
How to identify the virus or process
我注意到我的 PC (Catalina iMac) 未经授权访问我的路由器(默认网关)。
我正在对此进行调查,因为我们有几台 Mac 具有相同行为的 PC。
我想确定导致此未经授权访问的病毒或进程并将其删除。
我们使用 Virus Buster 和 Avast Antivirus 扫描了我们的 PC,但没有检测到任何病毒...
为了调查,我获取了我 PC 的 tcpdump 日志。
我确认了访问路由器的数据包。
启动 PC 几分钟后,观察到以下可疑行为。
- 很多我不认识的 DNS 查询。
我不记得访问过它们。
myspace.com, qq.com, baidu.com, weebly.com, mail.ru, odnoklassniki.ru, aol.com, ebay.com, alibaba.com etc.
- 大量访问各种端口。
21, 22, 23, 53, 81, 111, 135, 139, 192, 427, 443, 445, 515, 548, 554, 631, 873, 1433, 1688, 1801, 1900, 1980, 1990, 2105, 2323, 2869, 3000, 3283, 3306, 3389, 3910, 4070, 4071, 5000, 5001, 5040, 5060, 5094, 5357, 5431, 5555, 5800, 5900, 5916, 5985, 6668, 7547, 7676, 7680, 7777, 8000, 8001, 8002, 8008, 8009, 8080, 8081, 8082, 8089, 8090, 8099, 8181, 8182, 8291, 8443, 8728, 8888, 9080, 9100, 9101, 9112, 9220, 9295, 9999, 10001, 10243, 12323, 15500, 16992, 16993, 17500, 18181, 20005, 30005, 30102, 37215, 37777, 41800, 41941, 44401, 47001, 47546, 49000, 49152, 49153, 49200, 49443, 49667, 52869, 52881, 53048, 55442, 55443, 57621, 59777, 60000, 62078
- 很多 http、https 访问
GET / HTTP/1.1
GET /admin HTTP/1.1
GET /AvastUniqueURL HTTP/1.1
GET /cgi-bin/a2/out.cgi HTTP/1.1
GET /cgi-bin/ajaxmail HTTP/1.1
GET /cgi-bin/arr/index.shtml HTTP/1.1
GET /cgi-bin/at3/out.cgi HTTP/1.1
GET /cgi-bin/atc/out.cgi HTTP/1.1
GET /cgi-bin/atx/out.cgi HTTP/1.1
GET /cgi-bin/auth HTTP/1.1
GET /cgi-bin/bbs/postlist.pl HTTP/1.1
GET /cgi-bin/bbs/postshow.pl HTTP/1.1
GET /cgi-bin/bp_revision.cgi HTTP/1.1
GET /cgi-bin/br5.cgi HTTP/1.1
GET /cgi-bin/click.cgi HTTP/1.1
GET /cgi-bin/clicks.cgi HTTP/1.1
GET /cgi-bin/crtr/out.cgi HTTP/1.1
GET /cgi-bin/fg.cgi HTTP/1.1
GET /cgi-bin/findweather/getForecast HTTP/1.1
GET /cgi-bin/findweather/hdfForecast HTTP/1.1
GET /cgi-bin/frame_html HTTP/1.1
GET /cgi-bin/getattach HTTP/1.1
GET /cgi-bin/hotspotlogin.cgi HTTP/1.1
GET /cgi-bin/hslogin.cgi HTTP/1.1
GET /cgi-bin/ib/301_start.pl HTTP/1.1
GET /cgi-bin/index HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/krcgi HTTP/1.1
GET /cgi-bin/krcgistart HTTP/1.1
GET /cgi-bin/link HTTP/1.1
GET /cgi-bin/login HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/logout HTTP/1.1
GET /cgi-bin/mainmenu.cgi HTTP/1.1
GET /cgi-bin/mainsrch HTTP/1.1
GET /cgi-bin/msglist HTTP/1.1
GET /cgi-bin/navega HTTP/1.1
GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1
GET /cgi-bin/out.cgi HTTP/1.1
GET /cgi-bin/passremind HTTP/1.1
GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1
GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1
GET /cgi-bin/readmsg HTTP/1.1
GET /cgi-bin/rshop.pl HTTP/1.1
GET /cgi-bin/search.cgi HTTP/1.1
GET /cgi-bin/spcnweb HTTP/1.1
GET /cgi-bin/sse.dll HTTP/1.1
GET /cgi-bin/start HTTP/1.1
GET /cgi-bin/te/o.cgi HTTP/1.1
GET /cgi-bin/tjcgi1 HTTP/1.1
GET /cgi-bin/top/out HTTP/1.1
GET /cgi-bin/traffic/process.fcgi HTTP/1.1
GET /cgi-bin/verify.cgi HTTP/1.1
GET /cgi-bin/webproc HTTP/1.1
GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard HTTP/1.1
GET /cgi-bin/webscr HTTP/1.1
GET /cgi-bin/wingame.pl HTTP/1.1
GET /das/cgi-bin/session.cgi HTTP/1.1
GET /dd.xml HTTP/1.1
GET /fcgi-bin/dispatch.fcgi HTTP/1.1
GET /fcgi-bin/performance.fcgi HTTP/1.1
GET /Frontend HTTP/1.1
GET /HNAP1/ HTTP/1.1
GET /L3F.xml HTTP/1.1
GET /login.html HTTP/1.1
GET /menu.html?images/ HTTP/1.1
GET /picsdesc.xml HTTP/1.1
GET /redir/cgi-bin/ajaxmail HTTP/1.1
GET /rom-0 HTTP/1.1
GET /rootDesc.xml HTTP/1.1
GET /ssdp/device-desc.xml HTTP/1.1
GET /upnp/dev/a266dba0-8baa-3406-a010-2db481ceabf3/desc HTTP/1.1
GET /WANCfg.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1 )
POST /ctl/CmnIfCfg HTTP/1.1
POST /ctl/IPConn HTTP/1.1
POST /uuid:0cd2a2e0-68c2-a366-b2f1-8d93ddce634b/WANIPConnection:1 HTTP/1.1
如果您有任何关于以这种方式运行的病毒等信息,将会有所帮助。
另外,如果您需要任何其他信息来识别它,请回复我。
经过大量研究,我发现这是由 Avast Antivirus 的 Wi-Fi Inspector 功能引起的!
单击 Wi-Fi Inspector 按钮时的 tcpdump 日志模式几乎相同。
我注意到我的 PC (Catalina iMac) 未经授权访问我的路由器(默认网关)。
我正在对此进行调查,因为我们有几台 Mac 具有相同行为的 PC。
我想确定导致此未经授权访问的病毒或进程并将其删除。
我们使用 Virus Buster 和 Avast Antivirus 扫描了我们的 PC,但没有检测到任何病毒...
为了调查,我获取了我 PC 的 tcpdump 日志。
我确认了访问路由器的数据包。
启动 PC 几分钟后,观察到以下可疑行为。
- 很多我不认识的 DNS 查询。 我不记得访问过它们。
myspace.com, qq.com, baidu.com, weebly.com, mail.ru, odnoklassniki.ru, aol.com, ebay.com, alibaba.com etc.
- 大量访问各种端口。
21, 22, 23, 53, 81, 111, 135, 139, 192, 427, 443, 445, 515, 548, 554, 631, 873, 1433, 1688, 1801, 1900, 1980, 1990, 2105, 2323, 2869, 3000, 3283, 3306, 3389, 3910, 4070, 4071, 5000, 5001, 5040, 5060, 5094, 5357, 5431, 5555, 5800, 5900, 5916, 5985, 6668, 7547, 7676, 7680, 7777, 8000, 8001, 8002, 8008, 8009, 8080, 8081, 8082, 8089, 8090, 8099, 8181, 8182, 8291, 8443, 8728, 8888, 9080, 9100, 9101, 9112, 9220, 9295, 9999, 10001, 10243, 12323, 15500, 16992, 16993, 17500, 18181, 20005, 30005, 30102, 37215, 37777, 41800, 41941, 44401, 47001, 47546, 49000, 49152, 49153, 49200, 49443, 49667, 52869, 52881, 53048, 55442, 55443, 57621, 59777, 60000, 62078
- 很多 http、https 访问
GET / HTTP/1.1
GET /admin HTTP/1.1
GET /AvastUniqueURL HTTP/1.1
GET /cgi-bin/a2/out.cgi HTTP/1.1
GET /cgi-bin/ajaxmail HTTP/1.1
GET /cgi-bin/arr/index.shtml HTTP/1.1
GET /cgi-bin/at3/out.cgi HTTP/1.1
GET /cgi-bin/atc/out.cgi HTTP/1.1
GET /cgi-bin/atx/out.cgi HTTP/1.1
GET /cgi-bin/auth HTTP/1.1
GET /cgi-bin/bbs/postlist.pl HTTP/1.1
GET /cgi-bin/bbs/postshow.pl HTTP/1.1
GET /cgi-bin/bp_revision.cgi HTTP/1.1
GET /cgi-bin/br5.cgi HTTP/1.1
GET /cgi-bin/click.cgi HTTP/1.1
GET /cgi-bin/clicks.cgi HTTP/1.1
GET /cgi-bin/crtr/out.cgi HTTP/1.1
GET /cgi-bin/fg.cgi HTTP/1.1
GET /cgi-bin/findweather/getForecast HTTP/1.1
GET /cgi-bin/findweather/hdfForecast HTTP/1.1
GET /cgi-bin/frame_html HTTP/1.1
GET /cgi-bin/getattach HTTP/1.1
GET /cgi-bin/hotspotlogin.cgi HTTP/1.1
GET /cgi-bin/hslogin.cgi HTTP/1.1
GET /cgi-bin/ib/301_start.pl HTTP/1.1
GET /cgi-bin/index HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/krcgi HTTP/1.1
GET /cgi-bin/krcgistart HTTP/1.1
GET /cgi-bin/link HTTP/1.1
GET /cgi-bin/login HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/logout HTTP/1.1
GET /cgi-bin/mainmenu.cgi HTTP/1.1
GET /cgi-bin/mainsrch HTTP/1.1
GET /cgi-bin/msglist HTTP/1.1
GET /cgi-bin/navega HTTP/1.1
GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1
GET /cgi-bin/out.cgi HTTP/1.1
GET /cgi-bin/passremind HTTP/1.1
GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1
GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1
GET /cgi-bin/readmsg HTTP/1.1
GET /cgi-bin/rshop.pl HTTP/1.1
GET /cgi-bin/search.cgi HTTP/1.1
GET /cgi-bin/spcnweb HTTP/1.1
GET /cgi-bin/sse.dll HTTP/1.1
GET /cgi-bin/start HTTP/1.1
GET /cgi-bin/te/o.cgi HTTP/1.1
GET /cgi-bin/tjcgi1 HTTP/1.1
GET /cgi-bin/top/out HTTP/1.1
GET /cgi-bin/traffic/process.fcgi HTTP/1.1
GET /cgi-bin/verify.cgi HTTP/1.1
GET /cgi-bin/webproc HTTP/1.1
GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard HTTP/1.1
GET /cgi-bin/webscr HTTP/1.1
GET /cgi-bin/wingame.pl HTTP/1.1
GET /das/cgi-bin/session.cgi HTTP/1.1
GET /dd.xml HTTP/1.1
GET /fcgi-bin/dispatch.fcgi HTTP/1.1
GET /fcgi-bin/performance.fcgi HTTP/1.1
GET /Frontend HTTP/1.1
GET /HNAP1/ HTTP/1.1
GET /L3F.xml HTTP/1.1
GET /login.html HTTP/1.1
GET /menu.html?images/ HTTP/1.1
GET /picsdesc.xml HTTP/1.1
GET /redir/cgi-bin/ajaxmail HTTP/1.1
GET /rom-0 HTTP/1.1
GET /rootDesc.xml HTTP/1.1
GET /ssdp/device-desc.xml HTTP/1.1
GET /upnp/dev/a266dba0-8baa-3406-a010-2db481ceabf3/desc HTTP/1.1
GET /WANCfg.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1 )
POST /ctl/CmnIfCfg HTTP/1.1
POST /ctl/IPConn HTTP/1.1
POST /uuid:0cd2a2e0-68c2-a366-b2f1-8d93ddce634b/WANIPConnection:1 HTTP/1.1
如果您有任何关于以这种方式运行的病毒等信息,将会有所帮助。
另外,如果您需要任何其他信息来识别它,请回复我。
经过大量研究,我发现这是由 Avast Antivirus 的 Wi-Fi Inspector 功能引起的!
单击 Wi-Fi Inspector 按钮时的 tcpdump 日志模式几乎相同。