Comments on Three Tools to Scan a Linux Server for Viruses, Malware and Rootkits

Servers connected to the internet are seeing a constant level of attacks and scans all day. While a firewall and regular system updates are a good first defense to keep the system safe, you should also check regularly that no attacker got in. The tools described in this tutorial are made for these sanity checks, they scan for malware, viruses and rootkits.

17 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Randy Thompson
Reply  

Nothing on clamav? http://www.clamav.net/

By: Warren
Reply  

ISPProtect requires clamav to be installedapt-get install clamavI've also found rkhunter useful. Ubuntu: apt-get install rkhunter

Redhat / CentOS: cd /tmpwget http://liquidtelecom.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gztar -xzvf rkhunter-1.4.2.tar.gzcd rkhunter-1.4.2./installer.sh --layout default --installUpdate:rkhunter --updaterkhunter --propupd

 

Scan:rkhunter --checkScan without Prompts:rkhunter --check --skip-keypress

By: till
Reply  

The software Lynis that I covered above is the new software from the author of rkhunter. As far as I can see, it includes the rkhunter functionality and replaces it.

By: Warren
Reply  

Good to know Thank you :)

By: Warren
Reply  

Unhide is also usefulUbuntu: apt-get install unhideRedhat/CentOS: yum install unhide

Compile Manually:

#pre-requisitesyum install gccyum install glibc-static

#downloadcd /tmpwget http://sourceforge.net/projects/unhide/files/unhide-20121229.tgztar -zxvf unhide-20121229.tgzcd unhide-20121229

#compilegcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linuxgcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

#create symbolic linkcp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide

#helpunhide -h

#scanunhide -f sysunhide -f procunhide-tcp

By: Warren
Reply  

I'm not sure why all my spacing is wrong...Try this again;

 

ISPProtect requires clamav to be installed

apt-get install clamav

 

I've also found rkhunter useful. 

Ubuntu: apt-get install rkhunter

 

Redhat / CentOS: 

cd /tmp

wget http://liquidtelecom.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

tar -xzvf rkhunter-1.4.2.tar.gz

cd rkhunter-1.4.2

./installer.sh --layout default --install

 

Update:

rkhunter --update

rkhunter --propupd

 

Scan:

rkhunter --check

 

Scan without Prompts:

rkhunter --check --skip-keypress

 

 

Unhide is also useful

Ubuntu: apt-get install unhide

Redhat/CentOS: yum install unhide

 

Compile Manually:

yum install gcc

yum install glibc-static

cd /tmp

wget http://sourceforge.net/projects/unhide/files/unhide-20121229.tgz

tar -zxvf unhide-20121229.tgz

cd unhide-20121229

gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

cp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide

 

help:

unhide -h

 

scan:

unhide -f sys

unhide -f proc

unhide-tcp

By: Liam
Reply  

Thanks for mentioning unhide. Nice tool!

By: Jesse Norell
Reply  

If you install chkrootkit from debian package, it comes with a cronjob already, just set RUN_DAILY="true" in /etc/chkrootkit.conf.

By: tilaris
Reply  

wget https://cisofy.com/files/lynis-2.3.1.tar.gz

for the new lynis

By: Arounan
Reply  

wget https://cisofy.com/files/lynis-2.3.3.tar.gz

for the new lynis

By: Mr. Mister
Reply  

Well done my friend. Very helpful and useful article.

By: danish
Reply  

great one brah. very helpful

By: felan
Reply  

lynis is avalable in Debian repo. And the syntax I had to use was lynis --auditor system and not lynis audit system. Just a little info :)

By: Jeff Huckaby
Reply  

No tool or set of tools is 100% complete. For better rookits, they can avoid detection by all of these tools. 

With RPM based systems, you can use rpm -V to verify a package against its manifest.    You can also use md5sum and compare binaries to known good ones.  

Also you can never trust even the most basic commands when working on a potentially rooted system.  If taking the server offline is not a possibility, then I recommend using statically compiled tools.  This way you can assure that the libs things like bash, lsof, ps and others link into are not hacked.   

For simpler rootkits often used by botnets, I find they often set the immutable bit on files in *bin directories.  You can easily check this using lsattr and look for s - i -a attributes in tools like ps, find etc. 

 

By: felan
Reply  

Linux Malware Detection is also worth looking in to. There are scripts on here to install it on debian/ubuntu, but here is a link to their website: https://www.rfxn.com/projects/linux-malware-detect/

By: Bo Nilsson
Reply  

Hi

I am in the process of building a system for single board computers. I am currently using suricata. I am not a full blown security expert. I am wondering if you would be able to point me in the direction of existing joint ventures working on puting inexpensive hardware and opensource between everybody and the internet. Giving experts something to work on to automate some sort of response to what is happening with our internet.Sincerely,

/bo

 

By: Jon
Reply  

How do you update Lynis on ubuntu using command line?? Installed and say out of date. Is this trick to get you to buy enterprise?