如何解决如何识别病毒或进程
我注意到从我的 PC (Catalina iMac) 未经授权访问了我的路由器(默认网关)。
我正在对此进行调查,因为我们有几台具有相同行为的 Mac PC。
我想确定导致这种未经授权访问的病毒或进程并将其删除。
我们使用 Virus Buster 和 Avast Antivirus 扫描了我们的 PC,但它没有检测到任何病毒......
为了调查,我获取了我电脑的 tcpdump 日志。
我确认数据包访问路由器。
在启动 PC 后的几分钟内,观察到以下可疑行为。
- 很多 DNS 查询我不认识。 我不记得访问过它们。
myspace.com,qq.com,baidu.com,weebly.com,mail.ru,odnoklassniki.ru,aol.com,ebay.com,alibaba.com etc.
- 可以访问各种端口。
21,22,23,53,81,111,135,139,192,427,443,445,515,548,554,631,873,1433,1688,1801,1900,1980,1990,2105,2323,2869,3000,3283,3306,3389,3910,4070,4071,5000,5001,5040,5060,5094,5357,5431,5555,5800,5900,5916,5985,6668,7547,7676,7680,7777,8000,8001,8002,8008,8009,8080,8081,8082,8089,8090,8099,8181,8182,8291,8443,8728,8888,9080,9100,9101,9112,9220,9295,9999,10001,10243,12323,15500,16992,16993,17500,18181,20005,30005,30102,37215,37777,41800,41941,44401,47001,47546,49000,49152,49153,49200,49443,49667,52869,52881,53048,55442,55443,57621,59777,60000,62078
- 大量的 http、https 访问
GET / HTTP/1.1
GET /admin HTTP/1.1
GET /AvastUniqueURL HTTP/1.1
GET /cgi-bin/a2/out.cgi HTTP/1.1
GET /cgi-bin/ajaxmail HTTP/1.1
GET /cgi-bin/arr/index.shtml HTTP/1.1
GET /cgi-bin/at3/out.cgi HTTP/1.1
GET /cgi-bin/atc/out.cgi HTTP/1.1
GET /cgi-bin/atx/out.cgi HTTP/1.1
GET /cgi-bin/auth HTTP/1.1
GET /cgi-bin/bbs/postlist.pl HTTP/1.1
GET /cgi-bin/bbs/postshow.pl HTTP/1.1
GET /cgi-bin/bp_revision.cgi HTTP/1.1
GET /cgi-bin/br5.cgi HTTP/1.1
GET /cgi-bin/click.cgi HTTP/1.1
GET /cgi-bin/clicks.cgi HTTP/1.1
GET /cgi-bin/crtr/out.cgi HTTP/1.1
GET /cgi-bin/fg.cgi HTTP/1.1
GET /cgi-bin/findweather/getForecast HTTP/1.1
GET /cgi-bin/findweather/hdfForecast HTTP/1.1
GET /cgi-bin/frame_html HTTP/1.1
GET /cgi-bin/getattach HTTP/1.1
GET /cgi-bin/hotspotlogin.cgi HTTP/1.1
GET /cgi-bin/hslogin.cgi HTTP/1.1
GET /cgi-bin/ib/301_start.pl HTTP/1.1
GET /cgi-bin/index HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/krcgi HTTP/1.1
GET /cgi-bin/krcgistart HTTP/1.1
GET /cgi-bin/link HTTP/1.1
GET /cgi-bin/login HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/logout HTTP/1.1
GET /cgi-bin/mainmenu.cgi HTTP/1.1
GET /cgi-bin/mainsrch HTTP/1.1
GET /cgi-bin/msglist HTTP/1.1
GET /cgi-bin/navega HTTP/1.1
GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1
GET /cgi-bin/out.cgi HTTP/1.1
GET /cgi-bin/passremind HTTP/1.1
GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1
GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1
GET /cgi-bin/readmsg HTTP/1.1
GET /cgi-bin/rshop.pl HTTP/1.1
GET /cgi-bin/search.cgi HTTP/1.1
GET /cgi-bin/spcnweb HTTP/1.1
GET /cgi-bin/sse.dll HTTP/1.1
GET /cgi-bin/start HTTP/1.1
GET /cgi-bin/te/o.cgi HTTP/1.1
GET /cgi-bin/tjcgi1 HTTP/1.1
GET /cgi-bin/top/out HTTP/1.1
GET /cgi-bin/traffic/process.fcgi HTTP/1.1
GET /cgi-bin/verify.cgi HTTP/1.1
GET /cgi-bin/webproc HTTP/1.1
GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard HTTP/1.1
GET /cgi-bin/webscr HTTP/1.1
GET /cgi-bin/wingame.pl HTTP/1.1
GET /das/cgi-bin/session.cgi HTTP/1.1
GET /dd.xml HTTP/1.1
GET /fcgi-bin/dispatch.fcgi HTTP/1.1
GET /fcgi-bin/performance.fcgi HTTP/1.1
GET /Frontend HTTP/1.1
GET /HNAP1/ HTTP/1.1
GET /L3F.xml HTTP/1.1
GET /login.html HTTP/1.1
GET /menu.html?images/ HTTP/1.1
GET /picsdesc.xml HTTP/1.1
GET /redir/cgi-bin/ajaxmail HTTP/1.1
GET /rom-0 HTTP/1.1
GET /rootDesc.xml HTTP/1.1
GET /ssdp/device-desc.xml HTTP/1.1
GET /upnp/dev/a266dba0-8baa-3406-a010-2db481ceabf3/desc HTTP/1.1
GET /WANCfg.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1 )
POST /ctl/CmnIfCfg HTTP/1.1
POST /ctl/IPConn HTTP/1.1
POST /uuid:0cd2a2e0-68c2-a366-b2f1-8d93ddce634b/WANIPConnection:1 HTTP/1.1
如果您有任何有关以这种方式运行的病毒的信息等,将会有所帮助。
另外,如果您需要任何其他信息来识别它,请回复我。
解决方法
经过大量研究,我发现这是由 Avast Antivirus 的 Wi-Fi Inspector 功能引起的!
点击Wi-Fi Inspector按钮时tcpdump日志的模式几乎相同。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
