Linux command linux to check malware and virus

satimis

Member
Credits
557
Hi all,

I expect running Linux/Unix command lines to check malware and virus hidden in the websites on Terminal of hosting company ? I have >40 websites installed.
I can login their Terminal running Linux command lines. Please advise the command lines to be run? Thanks

Regards
 


ukro

New Member
Credits
17
+1 same question. What i have been reading the that clamav can do that. I had no time to figure out more info. But i can imagine this would be the solution.
 

satimis

Member
Credits
557
Hi,

Thanks for your advice.

On cPanel Terminal of the hosting company

# which clamav
no output
It is not installed on their Terminal but I'm not allowing to install it on their server.

# which freshclam
/usr/bin/freshclam
freshclam is running on their server.

freshclam is completely new to me !

Regards
 

captain-sensible

Well-Known Member
Credits
14,907
Ok Clam Av is the name of the program or "Anti-virus" "freshclam" is the command to update the virus signature database. Basically because new viruses are being created then clamAv needs to be updated putting it simply ,so that it can detect the new virus.

So from time to time you run the comand:
Code:
sudo freshclam from a terminal


or # freshclam
Now clamscan is the name of the command to use clamav from the command line. If you were going to scan a complete OS on a PC, then for brevity this is how i would do it.
Code:
sudo clamscan -r -v --infected --remove=yes --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ --exclude-dir=/run/media/andrew/7569-5EFD/  /
let me explain a couple of the above options . The last "/" means clamAv is going to scan the whole system from "/" i.e "root"

Now there are files and there are virtual representations. Now my understanding is that files can be infected but "virtual flies" can not. (I'm sure somebody will confirm this or not) So that means i don't want to waste time on parts of the system that are basically "representations" of a file system.So for example

Code:
--exclude-dir=/proc/
that tells clam Av not to bother scanning /proc it will just waste both our times. Note it needs the ending /

Code:
--infected
Thats means when its finished i only want to be told about infected files

Code:
--remove=yes
thats means if anything is found take it out. You can leave that out , if you want to find files or possible files and then decide what you will do.

Code:
-r
basically that means i want to scan from / i.e root , recursively all the way through the system.

Code:
-v
put that in so i can see whats going on; other wise all you see is a blinking cursor


you can use as many exclude as you want . What about --exclude-dir=/run/media/andrew/7569-5EFD/

Well thats my SD card , mounted at : /run/media/andrew/7569-5EFD/

I tthought i would scan that separately so told clamAv not to bother


I. I ran that code the other day on my laptop due to possible issue after using rkhunter- scan took circa 3 hours



Now thats running clamAv on your own system you have access to. I would have thought
any hosting would be constantly looking for issues, especially if web sites involve Wordpress so you wouldn't need to
 
Last edited:

satimis

Member
Credits
557
Hi captain-sensible,

Lot of thanks for your effort and time spent in helping me.

I learned a bitter lessen in past weeks, all my websites (>40) were unable to browse and unable to login to admin. It was supposed to be attacked by a malware lock360.php. 500 malicious .htaccess files were created, resulting in some functions of WordPress unable to work. Then I have to run Linux command lines to fix the problem.

Usually the malware added following content creating new malicious .htaccess files or adding it at the beginning of existing .htaccess files.
<FilesMatch '.(php|php5|suspected|py|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>


After login cPanel Terminal of my hosting company, I work as root.

Regarding your advice, whether;

1) I take out --remove=yes
2) Whether I don't need --exclude-dir=/run/media/andrew/7569-5EFD/ ?


The command line will be:
# freshclam -r -v --infected --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ / (or ./) ?

Please advise. Thanks

Regards
 

captain-sensible

Well-Known Member
Credits
14,907
1) you can take out --remove=yes that command means that clamav will get rid of anything
it thinks is malware if it finds it. problem is it could remove something that is not malware.

without that flag , as long as the command contains --infected then at the end of the scan clamav should simply LIST was it thinks is malware but not remove it. That gives you the opportunity of dealing with it your self. To scan starting from the root directory then the end of the command should be /

./ means current directory

So if i did cd ~ i.e change directory to usr home and put ./ as last bit of command then it would only scan from my home directory if , that is the ./ wasn't wrongly interpreted.
2) --exclude-dir=/run/media/andrew/7569-5EFD/

you don't need that bit , its just an example of command on my system basically its the path to where my Sd card is mounted

but the command will not contain "freshclam" freshclam is the facility of updating the virus sig database so the command will be:

Code:
sudo clamscan -r -v --infected  --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/   /
 
Last edited:

captain-sensible

Well-Known Member
Credits
14,907
The command does look somewhat convoluted i must admit - it works though since i copied straight from my terminal to my notes.

The command makes more sense when viewed as
Code:
clamscan [options] [file/directory/-]
so basically the command see as [options] [file or directory ] looks like :

sudo clamscan [ -r -v --infected --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ ] [ / ]


to get the "full monty" of commands , in a shell window type : info clamscan
 

satimis

Member
Credits
557
# freshclam -r -v --infected --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ /
freshclam: illegal option -- r
ERROR: Unknown option passed
ERROR: Can't parse command line options


Whether I need to change all --
to - ?

Regards
 

satimis

Member
Credits
557
# clamscan -r -v --infected --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ /
jailshell: clamscan: command not found
 

captain-sensible

Well-Known Member
Credits
14,907
doesn't surprise me "jailshell" - maybe @Rob could elaborate on it. basically that stops users performing some commands.

I can run clamscan because i have full root permission when i want . If you have web on hosting i.e your web is on some else's computer then only they have complete control. Shared hosting can be a problem when other users on hosting invite security problems. But basically if your hosting provider allowed your web to become infected then they let you down. I guess the alternative is along the lines of none shared hosting . Or even run your own server ? Also see @KGIII sig about hosting ?
 

satimis

Member
Credits
557
Hi captain-sensible,

All my websites are having cloned sites on VMs (guests of Oracle VirtualBox) and they are not open to public. I'll test ClamAV on the VM and come back later.

Several years ago I had this setup. When the local server is up visitors browse the local websites. When the local server is down visitors browse the websites on the server of the hosting company. The switching is fully automatic and visitors won't feel the change. It is an interesting setup. I did it as experiment only.

Besides my hosting company may have other antivirus software installed. I'll contact the technical support later to find out.
 

satimis

Member
Credits
557
Hi all,

Install ClamAV on a VM of VirtualBox running on PC
OS - Ubuntu 20.04


$ sudo apt install clamav clamav-daemon -y

$ which clamscan
/usr/bin/clamscan


$ which freshclam
/usr/bin/freshclam


Before updating the database, stop the clamav-freshclam service;
$ sudo systemctl stop clamav-freshclam

Update the database;
$ sudo freshclam
WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22
Tue Jul 13 16:30:15 2021 -> ClamAV update process started at Tue Jul 13 16:30:15 2021
Tue Jul 13 16:30:15 2021 -> ^Your ClamAV installation is OUTDATED!
Tue Jul 13 16:30:15 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3
Tue Jul 13 16:30:15 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Tue Jul 13 16:30:15 2021 -> daily.cvd database is up-to-date (version: 26229, sigs: 3995624, f-level: 63, builder: raynman)
Tue Jul 13 16:30:15 2021 -> main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Jul 13 16:30:15 2021 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Start clamav-freshclam and enable it to start at reboot:
$ sudo systemctl start clamav-freshclam

$ sudo systemctl enable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable clamav-freshclam

$ sudo clamscan --infected --remove --recursive /var/www/html/reynoldstocks/
----------- SCAN SUMMARY -----------
Known viruses: 8545158
Engine version: 0.103.2
Scanned directories: 693
Scanned files: 5680
Infected files: 0
Data scanned: 438.99 MB
Data read: 1926.02 MB (ratio 0.23:1)
Time: 95.604 sec (1 m 35 s)
Start Date: 2021:07:13 17:14:26
End Date: 2021:07:13 17:16:02

/var/www/html/reynoldstocks/
is the folder where the website is installed

$ sudo freshclam --infected --remove --recursive /var/www/html/reynoldstocks/
freshclam: unrecognized option `--infected'
ERROR: Unknown option passed
ERROR: Can't parse command line options

freshclam is a virus database update tool for ClamAV. I think it is NOT a tool of running CLamAV. Clamscan is !!!

The options of fresclam are different.
freshclam -h
Please refer to the attached screenshot

I haven't contacted the Technical Support of my hosting company yet. I must make use there is no problem running ClamAV on local PC first.

Comment and advice are appreciated. Thanks

Regards
 

Attachments

$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online


Top