Linux malware scanner?

WeWatchYourWebsite

New member
Registered
Joined
May 15, 2017
Messages
6
Points
0
We've found it best to scan files off of the webhosting server to reduce the load. The initial scan be as simple as making a zip of all the files, copying them to a server, scanning them for malware, removing all malware then copying the cleaned files back to the web server, thus overwriting any infected files and deleting all backdoors, phishing, etc files the hackers uploaded.

This eliminates the load on the server.

From the initial scan, you only have to monitor for file changes/additions, copy them to the external server, scan them and take any necessary steps to remove any malware.

You can also grab the log files on a constant basis to help in root cause analysis.
 

WeWatchYourWebsite

New member
Registered
Joined
May 15, 2017
Messages
6
Points
0
We created our own tool. If you're used to using ClamAV you could run that, but you should also get some additional signatures. The standard base of signatures will only catch about 40% of the website malware.

You could download it your PC, but most anti-virus software for a PC will not catch all the website malware.

Website malware is totally different than PC or Mac type malware.
 

wpspeedster

Well-known member
Registered
Joined
May 6, 2016
Messages
120
Points
18
We created our own tool.
Really? what are the features of your tool? why did you create your own tool without using an existed tool out there?

You could download it your PC, but most anti-virus software for a PC will not catch all the website malware.

Website malware is totally different than PC or Mac type malware.
Its quite exact and I tried to use an antivirus software to scan malware on infected files and not found at all. Why that?
It antivirus software just designed to scan virus?
 

WeWatchYourWebsite

New member
Registered
Joined
May 15, 2017
Messages
6
Points
0
Really? what are the features of your tool? why did you create your own tool without using an existed tool out there?
We created our own tool because we wanted it to perform and function exactly how we needed it to. I'm a C/C++ programmer from way back in the day, so creating a new tool was not that difficult. I identified exactly what I wanted it to do and wrote it. We use Google's RE2 regex library for our signatures. Our anomaly detection and behavior analysis engines are written in C++ as well. Our systems deobfuscate PHP and javascript code. We did not find any standard libraries or programs to perform those functions so we had to create our own tools.

Its quite exact and I tried to use an antivirus software to scan malware on infected files and not found at all. Why that?
It antivirus software just designed to scan virus?
Local PC and Mac based anti-virus scanners are typically looking for binaries, files that are compiled. They are good at detecting abnormal code that runs on your local computer. Website malware is totally different. Website files are typically all text. You can edit them with any text editor and they usually don't run on your local computer unless you have PHP and MySQL installed and running on your local computer.

This is why companies like us and Sucuri exist. To address the website security market - not the entire cyber security market.

I hope I've answered your questions.
 

Nixtree

Well-known member
Registered
Joined
Jul 16, 2016
Messages
133
Points
28
If you are having server root access, then I will suggest to have the below setup in a cpanel server / Normal server

1. Install Clamav and Clamd
2. Install Maldet
3. Enable clamav in maldet conf
4. Scan the accounts.
5. If you see even one bad files, then those accounts needs to be checked in more detail
6. In detailed check, first thing you need to do is a manual check on files in the public_html, and other uploads folders. If you are seeing any bad files which are not related to the CMS, then you should check them in more detail. EAch CMS have some most vulnerable areas which will be getting hacked more commonly.
7. Ask all your clients to have wordpress/jomla upgraded to the latest version and inform customers to upgrade if any have not done.
8. Check the recent files updates list using find command and check them and see if there is any unknown / bad file names
9. Search using find command for some common words which will be in the hacked files . There may be false positives but this will defenitly help you to start with.
 
Newer Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top