How to Scan a Linux Server for Malware and Rootkit

Scan Server Featured Image

Worms, viruses, malware and the dreaded rootkit are the very bane of every server administrator’s existence. Depending on architecture, there can be numerous options for code ne’er-do-wells to explore in infected systems, gathering sensitive information and/or costing organizations quite a lot of money in the process.

Thankfully, you don’t need to fly a flag of defeat in the face of such cyber-enemies – detecting them on your server is possible, and there are plenty of tools to help you scan your Linux server for malware and rootkit. Best of all, many of these tools are free to use.

1. Clam AV

This command line antivirus is designed to integrate closely with mail servers and is available for all kinds of systems, including prominent Linux distros such as SuSE, Fedora and Ubuntu.

Installation in Ubuntu is as easy as running the following command:

Scan Server Install Clamav

Once installed, clamav can be used from a terminal to go over the entire system with a fine-tooth comb and sanitize any infected files. In addition to this, Clam AV provides powerful real-time scanning and resource-monitoring utilities as well.

To run a simple scan of your server’s filesystem, use the following code from the root directory:

The above command will instruct Clam AV to perform a recursive scan (checking files within files) and print only infected documents to the terminal. Keep in mind that before you run this code you’ll need to allow Clam AV enough time to install its database of virus signatures on your machine. To keep an eye on this process, you can cancel the service and restart it manually with the following code:

followed by:

Scan Server Clamav Freshclam

To automatically remove infected files from the system during a scan, use the following code. (Be careful with this option!):

2. chkrootkit

This tool runs a number of tests to detect malicious loadable kernel modules, worms and full-blown rootkits.

For Ubuntu, this tool is available from the official repository. Use the following code to install it:

Scan Server Install Chkroot

Unlike Clam AV, chkrootkit is a passive tool and lacks functionality to act on any detected threats. Anything suspicious it finds in your server’s filesystem will need to be researched and removed manually, so keep a copy of its output for later reference.

To run this tool, use the following command:

Scan Server Chkrootkit

The list chkrootkit gives you is a good starting point for further diagnostics.

3.AIDE

This tool’s name is an acronym that stands for “Advanced Intrusion Detection Environment” – a totally free replacement for a similar tool called Tripwire.

AIDE allows you to keep close tabs on your system’s files to track when and how they are modified or otherwise accessed. This tool is easily installable from Ubuntu’s official repositories with apt.

Scan Server Install Aide

To complete the installation process, you will need to configure Postfix through the options presented to you. To navigate these, you can use the Tab key or arrow buttons, then press Enter on the option you want. Postfix is used to send information to your email address on a schedule you can control.

Scan Server Aide Postfix

Scan Server Aide Postfix 2

Configuring AIDE requires a bit of file manipulation. You’ll need to handle files in the following locations:

First, we’ll make the database and config files by running the following command:

Scan Server Aideinit

Once completed, this process places the database and config files it generates in “/var/lib/aide/” under the names “aide.db.new” and “aide.conf.autogenerated.” Both of these need to be copied as “aide.db” and “aide.conf,” respectively, to function properly.

Making a copy of the database file with a new name is easy with the following code:

Scan Server Aide Db

Before renaming and copying the config file, update it with the following command:

Scan Server Update Aide

Once you’ve updated the config file, copy it to the right folder with the following command:

Now AIDE should be functional on your server and actively watching the HASHED representation of your filesystem it has generated.

AIDE can be configured to exclude folders, run periodically and more by modifying its config file, but the following command is enough to see your system’s output:

AIDE is most effective when its config is accessed from a read-only location, as rootkits could allow attackers to modify the file. Consider implementing such a setup for optimum results.

The tools covered in this article should help you scan your Linux server for malware and rootkits using a variety of techniques. Rootkits are the trickiest of digital threats to tackle, but they can be staved off with proper diligence.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.