Some unexpected behaviour on a Linux server could be a result of malware infection, while other malicious software might not alert to their presence. Scanning your system for different types of unwanted programs can help identify issues, or at least give you peace of mind for having a clean server.
There are multiple options for making sure your cloud server is clean of any malware, this guide goes over a couple of scanning software you can utilise for checking your system.
ClamAV
ClamAV is a popular open-source antivirus engine available on a multitude of platforms including the majority of Linux distributions. Install it on your Debian system with the command below.
sudo aptitude install clamav clamav-daemon
With the required modules installed, next, you should update the virus database for ClamAV.
First, stop the related processes to allow for the update the proceed.
sudo systemctl stop clamav-freshclam
Then use the command below to run the updater application.
sudo freshclam
When you’ve finished updating the virus definitions, start and enable the services.
sudo systemctl start clamav-freshclam sudo systemctl enable clamav-freshclam
Then do a test scan to your home directory just to make sure the scanning works as it should use the following command.
sudo clamscan -r /home
Granted that your home directory didn’t contain any viruses or other types of malware, the scan should come back empty.
So how do you know it works?
For this, you can download an anti-virus test file, which is a small completely harmless program that most anti-virus software report as infected, though with an obvious test file name EICAR-AV-Test. Use the following command to download the test file to your home directory.
wget -P ~/ http://www.eicar.org/download/eicar.com
Now scan your home folder again with the same command as above, you should receive notice of one infected file at the end summary after the scan is completed. When you’ve confirmed that ClamAV finds the test file correctly, use the command below to scan it again and remove the infected file once found.
sudo clamscan --infected --remove --recursive /home
Be careful when using the –remove parameter. First, run a broader scan without it, and then a more localized scan when removing files or removing them manually.
To perform a complete scan of your cloud server, use this command.
sudo clamscan --infected --recursive --exclude-dir="^/sys" /
The scan goes through each directory in your system root recursively, but skips /sys just to avoid unnecessary warning printouts, as the virtual file system consists of some unreadable files, which could not contain viruses anyway.
Rkhunter
Rkhunter is a common option for scanning your system for rootkits and general vulnerabilities. It can be easily installed using the package manager on Debian systems.
sudo aptitude install rkhunter
Once installed and before scanning, you’ll need to update the file properties database.
sudo rkhunter --propupd
This lets the scanner know the current state of certain files to prevent some false alarms. After the update, simply run the scanner with the following.
sudo rkhunter --checkall
The scanner goes through some system commands, checks for actual rootkits and some malware, network and local host settings, and then give you the summary as well as records the findings to a log file.
Afterwards, you can get a condensed look at the scan log with this command.
sudo cat /var/log/rkhunter.log | grep -i warning
Go through the output to get some tips on what you could do to improve your system security.
Chkrootkit
Chkrootkit is a popular rootkit scanner, which runs a lot of useful checks and can direct suspicions towards finding a solution. It can be installed on most distributions with the package manager, on a Debian server using the following.
sudo aptitude install chkrootkit
Once done, scan your server with this command.
sudo chkrootkit
The scan will check for many types of infections and print out its findings. You can scroll through the output to check for any warnings.
Chkrootkit doesn’t write reports other than outputting to the screen by default, but if you wish to automate the checks or to take a look at the findings later, use the tee command to redirect the printout to a log file.
sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log
You can then easily check the log for any warnings.
sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning
While the option can be used to help determine if a machine has been compromised, it shouldn’t be taken as the ‘final word’, use it together with other scanners to diagnose any possible infections.
Mats
It all worked when I changed aptitude to apt. Good work and good explain. Now I will try to fix my other laptop. Its installed with debian firmware and when I install from commandline it ask for an install cd. But I have no cd-driver on that computer