Every server accessible via the Internet, regardless of its operating system, is susceptible to being infected by malware or malicious software at some point. In this article, we will show you how to scan your server for malware and how to perform a server audit, so you can be sure that your Linux server is clean.
Options include ClamAV, Lynis, LMD, Rkhunter, Chkrootkit and PHP-Antimalware-Scanner.
ClamAV
One of the most popular tools for detecting malware, viruses, trojans, etc., is ClamAV. This solution is highly integrated in mail servers, but it also works very well for on-demand directory scanning. Moreover, this solution is Open Source.
To install ClamAV on Debian/Ubuntu run:
# apt install clamav clamav-freshclam clamav-daemon clamdscan
To install ClamAV on CentOS/Alma Linux run:
# yum install epel-release
# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Once ClamAV is installed, the first thing to do is to update the virus database signatures with the following command:
# freshclam
You can now run a directory scan. To provoke a positive and check that it works correctly we will run:
# vi /var/virustest.txt
We add the following content:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Then run the following command:
# clamscan -r -i /var/
At the end you will see that you have found an infected file:
var/virustest.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8577355
Engine version: 0.103.2
Scanned directories: 310
Scanned files: 3204
Infected files: 1
Data scanned: 214.73 MB
Data read: 516.17 MB (ratio 0.42:1)
Time: 37.451 sec (0 m 37 s)
Start Date: 2021:11:15 16:53:15
End Date: 2021:11:15 16:53:53With this you can scan directories and even set up a cron job to do it automatically and send an email with the result.
Chkrootkit
If you want to scan your server for rootkits, one of the most popular options is Chkrootkit. Among the different tasks it can perform are scanning system binaries, whether the interface is in promiscuous mode, lastlog deletes, wtmp deletes, checking for signs of LKM Trojans, string replacement and checking for utmp deletes.
What Rootkits, Trojans and LKM can you detect?
There is an extensive list that you can consult on the official website by clicking on this link
To install Chkrootkit on Debian/Ubuntu run the following commands:
# apt update
# apt install chkrootkit
To install Chkrootkit on CentOS/Alma Linux run the following commands:
# dnf config-manager --enable powertools
# dnf install glibc-static
# yum install tar wget gcc-c++ gcc
# cd /usr/local/src
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar -zxvf chkrootkit.tar.gz
# mkdir /usr/local/chkrootkit
# mv /usr/local/src/chkrootkit*/* /usr/local/chkrootkit
# cd /usr/local/chkrootkit
# make sense
To perform a scan on Debian/Ubuntu run the following command:
# chkrootkit
To perform a scan on Centos/Alma Linux run the following command:
# /usr/local/chkrootkit/chkrootkit
This command executes all the options it can perform by default.
At the end of the process you will have a result similar to the following:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/lib/systemd/systemd-networkd[30273])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not testedIn bold you have an example of a possible infection. In this case it would be a false positive because the network interface is configured by dhcp.
Rkhunter
This tool is very similar to chkrootkit in that it also scans the system for rootkits and other vulnerabilities. Having both installed is a good idea because sometimes false positives occur and you can check the problem with two tools.
To install Rkhunter on Debian/Ubuntu run the following commands:
# apt update
# apt install rkhunter
To install Rkhunter on CentOS/Alma Linux run the following commands:
# yum install epel-release
# yum update
# yum install rkhunter
Next, edit the rkhunter configuration by running the following command:
# vi /etc/rkhunter.conf
Edit the following variables to have these values:
MIRRORS_MODE=0
UPDATE_MIRRORS=1
WEB_CMD=""The next step is to update the signatures:
# rkhunter --update
To perform an analysis, run the following command:
# rkhunter -c
At the end of the process you will have a result similar to the following:
System checks summary
=====================
File properties checks...
Files checked: 142
Suspect files: 0
Rootkit checks...
Rootkits checked : 498
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 50 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)With this tool together with Chkrootkit you will have a good indication of whether your system is infected by rootkits.
LMD – Linux Malware Detect
LMD is an open source tool that scans the system for Malware. In addition, it can be integrated with ClamAV for increased performance. By default the integration is enabled.
To install LMD run the following commands:
# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.6.4
# bash install.sh
To run a directory scan, execute the following command:
# maldet -a /home
If no malware is found you will get the following response:
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(3714): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(3714): {scan} building file list for /home/, this might take awhile...
maldet(3714): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(3714): {scan} file list completed in 0s, found 4 files...
maldet(3714): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(3714): {scan} scan of /home/ (4 files) in progress...
maldet(3714): {scan} scan completed on /home/: files 4, malware hits 0, cleaned hits 0, time 0s
maldet(3714): {scan} scan report saved, to view run: maldet --report 211118-1512.3714How you have previously installed ClamAv has used the binary to run the scan.
Lynis
One of the most important points to avoid having to deal with a system infection is prevention and properly securing the server beforehand. The main function of this tool is to perform an audit of our server based on the operating system configurations, kernel, installed software, network, cryptography and malware analysis, to finally present a report with the improvements that can be adopted to improve the security of our server.
To install lynis on Debian/Ubuntu run the following commands:
# apt install lynis
To install lynis on CentOS/Alma Linux run the following commands:
# yum install epel-release -y
# yum install lynis -y
To carry out an analysis run:
# lynis audit system
The result will give us warnings about what needs to be improved in our system and also provides us with web links to information on how to solve the possible problem:
-[ Lynis 2.6.2 Results ]-
Warnings (5):
----------------------------
! Version of Lynis is very old and should be updated [LYNIS]
https://cisofy.com/controls/LYNIS/
! No password set for single mode [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/controls/PKGS-7392/
! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818]
https://cisofy.com/controls/MAIL-8818/
! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/controls/FIRE-4512/
Suggestions (50):
----------------------------
* Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
https://your-domain.example.org/controls/CUST-0280/
* Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285]
https://your-domain.example.org/controls/CUST-0285/
* Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810]
https://your-domain.example.org/controls/CUST-0810/
* Install apt-listchanges to display any significant changes prior to any upgrade via APT. [CUST-0811]
https://your-domain.example.org/controls/CUST-0811/
* Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830]
https://your-domain.example.org/controls/CUST-0830/
Plugins
If you have a subscription to the Enterprise version, it is possible to extend the features of Lynis with plugins. You can find them here.
PHP-Antimalware-Scanner
PHP-Antimalware-Scanner is a security tool for websites developed in PHP that seeks to detect malware and other types of threats. This tool works by scanning a website's source code files for suspicious code patterns that may be indicative of malware.
To use it, you can simply download it:
# wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner
And run it with a PHP CLI:
# php scanner /path/directory/web/ --auto-skip --all
It will perform a scan of the specified path and when it finds an infected file, it will ask which option you want to apply. Although it is important to note that PHP-Antimalware-Scanner is not a complete security solution for your website.
We hope we have helped you with this tutorial 🙂. Remember, if you have any questions about this or any other issue related to your Clouding servers, don't hesitate to write to support@clouding.io.
We're here for you!