如果rkhunter找到了可能的rootkit，该怎么办？

Question

今晚跑了rkhunter，我得到了这个结果：

[04:17:34] System checks summary
[04:17:34] =====================
[04:17:34]
[04:17:34] File properties checks...
[04:17:34] Files checked: 133
[04:17:34] Suspect files: 16
[04:17:34]
[04:17:34] Rootkit checks...
[04:17:34] Rootkits checked : 245
[04:17:34] Possible rootkits: 1
[04:17:34] Rootkit names    : Slapper Worm
[04:17:34]
[04:17:34] Applications checks...
[04:17:34] All checks skipped
[04:17:34]
[04:17:34] The system checks took: 2 minutes and 27 seconds
[04:17:34]
[04:17:34] Info: End date is Sat Jul 12 04:17:34 UTC 2014

上面写着可能的rootkit "Slapper“，它指向这个文件：

[04:16:42] Checking for Slapper Worm...
[04:16:42]   Checking for file '/tmp/.bugtraq'               [ Not found ]
[04:16:42]   Checking for file '/tmp/.uubugtraq'             [ Not found ]
[04:16:42]   Checking for file '/tmp/.bugtraq.c'             [ Not found ]
[04:16:42]   Checking for file '/tmp/httpd'                  [ Not found ]
[04:16:42]   Checking for file '/tmp/.unlock'                [ Not found ]
[04:16:42]   Checking for file '/tmp/update'                 [ Found ]
[04:16:42]   Checking for file '/tmp/.cinik'                 [ Not found ]
[04:16:43]   Checking for file '/tmp/.b'                     [ Not found ]
[04:16:43] Warning: Slapper Worm                             [ Warning ]
[04:16:43]          File '/tmp/update' found

我删除了这个文件，但看起来没什么大不了的？我是不是该担心我会有根包？删除此文件将修复此问题吗？

Answer 1

在这种情况下，我不会太担心，因为它只检测到一个存在的文件名，这个文件名不太可能是由完全无关的东西创建的，这是因为update这个词的共同性质。像/tmp/.bugtraq这样更重要的文件丢失了。此外，Slapper是12岁还使用了一个长期关闭的漏洞。

如果您因为怀疑感染而运行rkhunter，您可以进一步调查，但如果这是例行操作，则关闭此事。