Three tools to scan a Linux server for Malware and Rootkits

Servers connected to the internet are seeing a constant level of attacks and scans all day. While a firewall and regular system updates are a good first defense to keep the system safe, you should also check regularly that no attacker got in. The tools described in this tutorial are made for these sanity checks, they scan for malware, viruses and rootkits. They should be run regularly, e.g. every night and send reports to you by email. You can also use Chkrootkit, Rkhunter and ISPProtect to scan a system when you see suspicious activity like high load, suspicious processes or when the server suddenly starts to send malware.

All these scanners have to be run as root user. Login as root before you continue or run "sudo su" on Ubuntu to become root user.

chkrootkit - Linux rootkit scanner

Chkrootkit is a classic rootkit scanner. It checks your server for suspicious rootkit processes and checks for a list of known rootkit files.

Either install the package that comes with your distribution (on Debian and Ubuntu you would run

apt-get install chkrootkit

), or download the sources from www.chkrootkit.org and install manually:

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-*/
make sense

Afterward, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:

cd ..
mv chkrootkit-<version>/ /usr/local/chkrootkit

and create a symlink for easy access:

ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

To check your server with chkrootkit, run the command:

chkrootkit

A common false positive report is:

Checking `bindshell'...                                     INFECTED (PORTS:  465)

Don't worry when you get this message on an email server, this is the SMTPS (Secure SMTP) port of your mail system and a well known false positive.

You can even run chkrootkit by a cron job and get the results emailed to you. First, find out the path where chkrootkit is installed on your server with:

which chkrootkit

Example:

[email protected]:/tmp/chkrootkit-0.50# which chkrootkit
/usr/sbin/chkrootkit

Chkrootkit is installed in the path /usr/sbin/chkrootkit, we need this path in the cron line below:

Run:

crontab -e

To create a cron job like this:

0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output of my server" [email protected])

That would run chkrootkit every night a 3.00h. Replace the path to chkrootkit with the one that you got from which command above and exchange the email address with your real address.

Lynis - Universal security auditing tool and rootkit scanner

Lynis (formerly rkhunter) is a security auditing tool for Linux and BSD based systems. It performs a detailed auditing of many security aspects and configurations of your system. Download the latest Lynis sources from https://cisofy.com/download/lynis/:

cd /tmp
wget https://cisofy.com/files/lynis-2.1.1.tar.gz
tar xvfz lynis-2.1.1.tar.gz
mv lynis /usr/local/
ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

This will install lynis to the directory /usr/local/lynis and creates a symlink for easy access. Now run

lynis update info

to check if you use the latest version.

Now you can scan your system for rootkits by running:

lynis audit system

Lynis will perform a few checks and then stops to give you some time to read the results. Press [ENTER] to continue with the scan.

Lynis system audit.

At the end, it will show you a summary of the scan.

Lynis result.

To run Lynis non-interactively, start it with the --quick option:

lynis --quick

To run Lynis automatically at night, create a cron job like this:

0 3 * * * /usr/local/bin/lynis --quick 2>&1 | mail -s "lynis output of my server" [email protected])

This will run lynis every night a 3.00h. Replace the email address with your real address.

ISPProtect - Website malware scanner

ISPProtect is a malware scanner for web servers, it scans for malware in website files and CMS systems like Wordpress, Joomla, Drupal etc. If you run a web hosting server, then the hosted websites are the most attacked part of your server and it is recommended to do sanity checks on them regularly. ISPProtect contains 3 scanning engines: a signature based malware scanner, a heuristic malware scanner, and a scanner to show the installation directories of outdated CMS systems. ISPProtect is not free software, but there is a free trial that can be used without registration to test it or clean an infected system.

ISPProtect requires PHP to be installed on the server, this should be the case on most hosting systems. In case you don't have a command line PHP installed yet, execute:

apt-get install php5-cli

on Debian or Ubuntu or:

yum install php

on Fedora and CentOS.

Run the following commands to install ISPProtect.

mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
wget http://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

To start ISPProtect, run:

ispp_scan

The scanner automatically checks for updates, then asks for the key (enter the word "trial" here) and then asks for the path of the websites, normally thats /var/www.

ISPProtect malware scan.

Please enter scan key: <-- trial
Please enter path to scan: <-- /var/www

The scanner will now start the scan. The scanning progress is shown. The names of the infected files are shown on the screen at the end of the scan and the results are stored in file sin the ISPProtect install directory for later use:

After the scan is completed, you will find the results also in the following files:
Malware => /usr/local/ispprotect/found_malware_20161401174626.txt
Wordpress => /usr/local/ispprotect/software_wordpress_20161401174626.txt
Joomla => /usr/local/ispprotect/software_joomla_20161401174626.txt
Drupal => /usr/local/ispprotect/software_drupal_20161401174626.txt
Mediawiki => /usr/local/ispprotect/software_mediawiki_20161401174626.txt
Contao => /usr/local/ispprotect/software_contao_20161401174626.txt
Magentocommerce => /usr/local/ispprotect/software_magentocommerce_20161401174626.txt
Woltlab Burning Board => /usr/local/ispprotect/software_woltlab_burning_board_20161401174626.txt
Cms Made Simple => /usr/local/ispprotect/software_cms_made_simple_20161401174626.txt
Phpmyadmin => /usr/local/ispprotect/software_phpmyadmin_20161401174626.txt
Typo3 => /usr/local/ispprotect/software_typo3_20161401174626.txt
Roundcube => /usr/local/ispprotect/software_roundcube_20161401174626.txt
Starting scan level 1 ...

To run ISPProtect automatically as nightly cronjob, create a cron file with nano:

nano /etc/cron.d/ispprotect

and insert the following line:

0 3  * * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www [email protected] --non-interactive --scan-key=AAA-BBB-CCC-DDD

Replace "[email protected]" with your email address, the scan report is send to this address. Then exchange "AAA-BBB-CCC-DDD" with your license key. You can get a license key here.

Share this page:

10 Comment(s)

Add comment

Comments

From: Randy Thompson

Nothing on clamav? http://www.clamav.net/

From: Warren

ISPProtect requires clamav to be installedapt-get install clamavI've also found rkhunter useful. Ubuntu: apt-get install rkhunter

Redhat / CentOS: cd /tmpwget http://liquidtelecom.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gztar -xzvf rkhunter-1.4.2.tar.gzcd rkhunter-1.4.2./installer.sh --layout default --installUpdate:rkhunter --updaterkhunter --propupd

 

Scan:rkhunter --checkScan without Prompts:rkhunter --check --skip-keypress

From: till

The software Lynis that I covered above is the new software from the author of rkhunter. As far as I can see, it includes the rkhunter functionality and replaces it.

From: Warren

Good to know Thank you :)

From: Warren

Unhide is also usefulUbuntu: apt-get install unhideRedhat/CentOS: yum install unhide

Compile Manually:

#pre-requisitesyum install gccyum install glibc-static

#downloadcd /tmpwget http://sourceforge.net/projects/unhide/files/unhide-20121229.tgztar -zxvf unhide-20121229.tgzcd unhide-20121229

#compilegcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linuxgcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

#create symbolic linkcp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide

#helpunhide -h

#scanunhide -f sysunhide -f procunhide-tcp

From: Warren

I'm not sure why all my spacing is wrong...Try this again;

 

ISPProtect requires clamav to be installed

apt-get install clamav

 

I've also found rkhunter useful. 

Ubuntu: apt-get install rkhunter

 

Redhat / CentOS: 

cd /tmp

wget http://liquidtelecom.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

tar -xzvf rkhunter-1.4.2.tar.gz

cd rkhunter-1.4.2

./installer.sh --layout default --install

 

Update:

rkhunter --update

rkhunter --propupd

 

Scan:

rkhunter --check

 

Scan without Prompts:

rkhunter --check --skip-keypress

 

 

Unhide is also useful

Ubuntu: apt-get install unhide

Redhat/CentOS: yum install unhide

 

Compile Manually:

yum install gcc

yum install glibc-static

cd /tmp

wget http://sourceforge.net/projects/unhide/files/unhide-20121229.tgz

tar -zxvf unhide-20121229.tgz

cd unhide-20121229

gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

cp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide

 

help:

unhide -h

 

scan:

unhide -f sys

unhide -f proc

unhide-tcp

From: Liam

Thanks for mentioning unhide. Nice tool!

From: Jesse Norell

If you install chkrootkit from debian package, it comes with a cronjob already, just set RUN_DAILY="true" in /etc/chkrootkit.conf.

From: tilaris

wget https://cisofy.com/files/lynis-2.3.1.tar.gz

for the new lynis

From: Arounan

wget https://cisofy.com/files/lynis-2.3.3.tar.gz

for the new lynis