
Problem
There comes a time when you are like wondering what is happening to your server or in my case a hosting server where i would host my own and my clients websites..
and Baam! You get a warning from your datacenter or hosting provider that your server was sending many spam emails or even worst DOS – Denial of Service attacks.
You are like shit not this again and the timing could not have been worst 🙁
Anyway enough of drama, Below are the steps i have laid out how i go about in solving this problem.
back to menu ↑ back to menu ↑Scanning: ClamAV
The first step is to scan for infected files, this can be done in multiple ways Here is using ClamAV which can be installed on most of the Linux servers.
I have modified, the commandline to simple output the results onto a txt file. This help does not cover the installations of ClamAV on your server, as this can be easily google searched.
cd /tmp
clamscan -r -i /home >> clamlog.txt
back to menu ↑ back to menu ↑ Scanning: Rkhunter
The rkhunter tool can be installed using following command on Ubuntu and CentOS based systems.
$ sudo apt install rkhunter
# yum install epel-release
# yum install rkhunter
To check your server with rkhunter run the following command.
rkhunter -c
back to menu ↑ back to menu ↑ Scanning: ISPProtect
The first step is to scan for infected files, this can be done in multiple ways but this is what works for me.
There are many scripts out there which can help you detect, but for me ISPprotect has helped, Its a paid one.
They give you a first free scan, So you might be able to try it out first as a trail on one of your servers.
So basically you connect to the server via SSH and run the script.
Instead of running the above script interactively, i let it run it in the background, just incase the connection gets lost.cd /tmp wget https://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz ./ispp_scan
./ispp_scan --path=/home --email-results=root@localhost --non-interactive --scan-key=AAA-BBB-CCC-DDD
Leave a Reply