UpCloud
Effortless global cloud infrastructure for SMBs
Introducing
If you’re interested in what we have to offer, contact sales or fill out a contact form.
Our support live chat is available for our customers 24/7. You can also email our support team.
Send us an email to give feedback or to say hello.
Start a new journey
Why Partner with UpCloud?
I’ve been passionate about the hosting industry since 2001. Before founding UpCloud, my first company grew to become one of Finland’s largest shared web hosting providers, serving over 30,000 customers. Along the way, I faced the same challenges many of you know well—24/7 on-call responsibilities, solving technical issues, and managing customer inquiries.
At UpCloud, we’ve designed a platform that solves these challenges, offering reliability, scalability, and unparalleled support. We understand the pressures you face because we’ve been there too. Partner with us, and let’s help you focus on growing your business while we handle the rest.
Sincerely, Joel Pihlajamaa CTO, Founder
Login
Sign up
Updated on 24.5.2023
Some unexpected behaviour on a cloud Linux could be a result of malware infection, while other malicious software might not alert to their presence. Scanning your system for different types of unwanted programs can help identify issues, or at least give you peace of mind for having a clean server.
There are multiple options for making sure your cloud server is clean of any malware, this guide goes over a couple of scanning software you can utilise for checking your system.
ClamAV is a popular open-source antivirus engine available on a multitude of platforms including the majority of Linux distributions. Install it with the command below.
sudo apt-get install clamav clamav-daemon
With the required modules installed, next, you should update the virus database for ClamAV.
First, stop the related processes to allow for the update the proceed.
sudo systemctl stop clamav-freshclam
Then use the command below to run the updater application.
sudo freshclam
When you’ve finished updating the virus definitions, start and enable the services.
sudo systemctl start clamav-freshclam sudo systemctl enable clamav-freshclam
Then do a test scan to your home directory just to make sure the scanning works as it should use the following command.
sudo clamscan -r /home
Granted that your home directory didn’t contain any viruses or other types of malware, the scan should come back empty.
So how do you know it works?
For this, you can download an anti-virus test file, which is a small completely harmless program that most anti-virus software report as infected, though with an obvious test file name EICAR-AV-Test. Use the following command to download the test file to your home directory.
wget -P ~/ http://www.eicar.org/download/eicar.com
Now scan your home folder again with the same command as above, you should receive notice of one infected file at the end summary after the scan is completed. When you’ve confirmed that ClamAV finds the test file correctly, use the command below to scan it again and remove the infected file once found.
sudo clamscan --infected --remove --recursive /home
Be careful when using the –remove parameter. First, run a broader scan without it, and then a more localized scan when removing files or removing them manually.
To perform a complete scan of your cloud server, use this command
sudo clamscan --infected --recursive --exclude-dir="^/sys" /
The scan goes through each directory in your system root recursively, but skips /sys just to avoid unnecessary warning printouts, as the virtual file system consists of some unreadable files, which could not contain viruses anyway.
Rkhunter is a common option for scanning your system for rootkits and general vulnerabilities. It can be easily installed using the package manager.
sudo apt-get install rkhunter
Once installed and before scanning, you’ll need to update the file properties database.
sudo rkhunter --propupd
This lets the scanner know the current state of certain files to prevent some false alarms. After the update, simply start the scanner with the following.
sudo rkhunter --checkall
The scanner runs through some system commands, checks for actual rootkits and some malware, network and local host settings, and then give you the summary as well as recording the findings to a log file.
Afterwards, you can get a condensed look at the scan log with this command.
sudo cat /var/log/rkhunter.log | grep -i warning
Go through the output to get some tips on what you could do to improve your system security.
Chkrootkit is another popular rootkit scanner, which runs a lot of useful checks and can direct suspicions towards finding a solution. It can be installed on most distributions with the package manager, on Ubuntu systems use the following.
sudo apt-get install chkrootkit
Once done, scan your server with this command.
sudo chkrootkit
The scan will check for many types of infections and print out its findings. You can scroll through the output to check for any warnings. Note that on Ubuntu 14.04 using chkrootkit version 0.49 it’s possible to get a false positive warning for Suckit rootkit, use rkhunter to double check.
Chkrootkit doesn’t write reports other than outputting to the screen by default, but if you wish to automate the checks or to take a look at the findings later, use the tee command to redirect the printout to a log file.
sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log
You can then check the log for any warnings.
sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning
While chkrootkit can be used to help determine if a machine has been compromised, it shouldn’t be taken as the ‘final word’, use it in conjunction with other scanners to diagnose any possible infections.
Join discussion
18.1.2019 at 16.29
great tips, thank you
13.3.2019 at 09.40
good explained clearly easy to follow
18.3.2019 at 11.12
I am a ubuntu user so this will definitely help me a lot. Thanks for sharing such useful ideas.
19.6.2019 at 18.32
awesome, good explained, thank you for that!
28.2.2020 at 14.01
Great tutorial! Now, in the line:
“With the required modules installed, next, you should update the virus database for ClamAV by running the updater application: sudo freshclam”
you will get a message saying that ClamAV is already in use. You don’t need to execute this command for it will be executed automatically. Just go with the next.
28.2.2020 at 23.08
Hi Alejandro, thanks for the comment. Different versions of ClamAV might have slightly different functionality but running the update will be useful for keeping the definitions current later on as well.
4.6.2020 at 15.47
“Be careful when using the –remove parameter. First, run a broader scan without it, and then more localized scan when removing files or remove them manually.”
The border scan without remove command is the command you told just below that? sudo clamscan –infected –recursive –exclude-dir=”^/sys” / This one?
And, how to find out which localized place the infected file is in order to do a localized scan? You should have gave commands for all of these tiny warnings you gave.
8.6.2020 at 13.45
Hi Soum, thanks for the question. The point of the warning was to highlight the potential issue of false positives. It’s recommended to first run just a scan, then if ClamAV detects potentially infected files, it will report the location of those files. The scan command sudo clamscan --infected --recursive --exclude-dir=”^/sys” / is an example of scanning your entire server. Note that a broad scan like this will take some time. Afterwards, you can run another scan on the directory the issue was detected at with the --remove flag enabled, e.g. sudo clamscan --infected --remove /home/user/
6.12.2020 at 03.36
Thank you Janne for the tutorial, but I would like to know about Clamav. Should I update Clamav app or just update virus database is enough?
6.12.2020 at 18.03
Hi there, thanks for the question. The sudo freshclam command is used to update the virus database while the application itself will be kept up to date along with standard software updates, e.g. using sudo apt upgrade
16.2.2021 at 08.20
I already use malware anti-virus software but i didn’t know about this information. Thanks for sharing this amazing stuff. I got some new information from this blog. Great job and keep posting!
30.12.2021 at 11.08
Thank you for sharing informative content…
3.1.2022 at 17.37
Last version of rkhunter (1.4.6.) is from 2018. Does it make sense to rely on such an outdated package whilst the attacking side is changing constantly?
4.1.2022 at 12.35
Hi Jo, thanks for the question. While the application itself hasn’t been updated for some time, the packages are maintained in most repositories and rkhunter still has value in scanning misbehaving systems. However, using rkhunter alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.
24.8.2022 at 23.58
Thank you for posting this.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Δ
See all tutorials