Scan Ubuntu Server for Malware and Rootkits

Posted on January 20th, 2020

Scan Ubuntu Server for Malware and Rootkits

Malware infection occurs when malicious software, or malware, infects your system. Some of the malicious software might not alert its presence, but some may create unexpected behavior on your server. A server-wide scanning can help you identify any unwanted programs or malicious software in your system.

When you download any files or some software from any suspicious sites, there is a chance that malware gets downloaded to your system or server without our knowledge. Also, malware can get into your system by clicking the link from any suspicious email sent from unknown email addresses.

There are different ways to make sure that your server is clean from malware. Some of the scanning software you can utilize to scan your Linux server are ClamAV, Rkhunter, Chkrootkit, Lynis, and Linux Malware Detect (LMD).

 

1) ClamAV

ClamAV is a free and versatile open-source antivirus engine to detect malware, viruses, and other malicious programs and software on your system. This software can be used to scan emails, as they support all mail file formats. ClamAV can scan both archives and compressed files. It can also scan files with different formats, such as tar, zip, rar, 7zip, and more. It is available on a multitude of platforms, including the majority of Linux based systems such as Ubuntu, Debian, CentOS and more.

To install ClamAV on your Ubuntu server, run the following command.

$ sudo apt-get install clamav clamav-daemon

After the successful installation of ClamAV and its modules, you should update the virus database by running the following command.

$ sudo freshclam

After updating the virus definitions for ClamAV, you can run the following command to test if scanning is working correctly.

$ sudo clamscan -r <Directory>

If you want to run the scanning on your home directory, then you can run the following command.

$ sudo clamscan -r /home

If your mentioned directory (/home) is clean from viruses or malware, then the scanning should come back empty.

If you want to show only the infected files after the scanning, then you can use the following command.

$ sudo clamscan -r -i <Directory>

To perform a complete server-wide scanning, you can run the following command.

$ sudo clamscan -infected -recursive –exclude-dir=“^/sys” /

This above command runs the scanning in al the directory except /sys to avoid unwanted warning printouts.

 

2) Rkhunter

Rkhunter is the commonly used scanning option to check your Ubuntu server’s general vulnerabilities and rootkits. Rkhunter is also known as RKH or Rookhit Hunter. It is a free and powerful open-source tool that is simple to use and is well known for scanning backdoors, rootkits, and other general vulnerabilities on POSIX compliant systems, such as Ubuntu, CentOS, Debian, etc. You can use this tool for security monitoring, rootkit hunting, and to detect hidden security holes.

To install the Rkhunter tool using the package manager on the Ubuntu system, run the following command.

$ sudo apt-get install rkhunter

After installation, you need to update the file properties database. To update the file properties database, run the following command.

$ sudo rkhunter –propupd

This above command lets the Rkhunter scanner to know the current state of individual files to avoid any false alarms during the scanning. After updating the file properties, run the following command to start the scanning.

$ sudo rkhunter –checkall

This scanner runs through some system commands, network settings, localhost settings, and files to check for actual rootkits and malware. Then, it records the findings to a log file. You can get the condensed look at the scan log using the below command. After checking the logs, you can implement a different process to improve your server security.

$ sudo cat /var/log/rkhunter.log | grep -i warning

If you want to scan Ubuntu Server every day at a particular time (suppose 4 am night) and send the report to your email address, add the following cron entry.

0 4 * * * /usr/sbin/rkhunter -c 2>&1 | mail -s “Rkhunter Report of the Server” [email protected]

This above cron job runs at 4 am night every day and sends a report to your email address with the subject “Rkhunter Report of the Server”.

 

3) Chkrootkit

On a Linux based system, the Chkrootkit tool helps to identify any signs of a rootkit. It is a free and open-source rootkit detector that helps to detect hidden security holes. This tool runs many security checks and directs suspicions towards finding the solution to solve rootkit.

You can install the Chkrootkit tool on most of the Linux distributions, such as CentOS, Ubuntu, Debian, etc with the help of package managers. To install the Chkrootkit tool, run the following command.

$ sudo apt-get install chkrootkit

After the installation, you can run the following command to scan Ubuntu server.

$ sudo chkrootkit

This scan checks for infections and rootkits on your server and prints its findings. You can check for any warning in the output and can take the necessary actions to solve this issue. Note that on Ubuntu using Chkrootkit version 0.49, can give a definite false warning for Suckit rootkit. So, it is essential to double-check the output using the Rkhunter tool.

By default, Chkrootkit does not write any reports for the output. So, if you wish to write the reports to any file to check the findings later, then you can run the following command and use the tee to redirect the printout to a log file.

$ sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log

You can check these logs for any warnings by using the following command.

$ sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning

If you want to run the chkrootkit scanning every day at a particular time ( suppose 2 am night) and send the report to your email address, add the following cron entry.

0 2 * * * /usr/sbin/chkrootkit 2>&1 | mail -s “Chkrootkit Report of the Server” [email protected]

This above cron job runs at 2 am night every day and sends a report to your email address with the subject “Rkhunter Report of the Server”.

 

So this is how you scan Ubuntu server for Malware and Rootkits. If you need any further help, please do reach our support department.

5 Responses to “Scan Ubuntu Server for Malware and Rootkits”

  1. Steen Rabol says:

    sudo clamscan -infected -recursive –exclude-dir=“^/sys” /

    just gives an error:

    clamscan: illegal option — n
    ERROR: Unknown option passed
    ERROR: Can’t parse command line options

  2. Luka says:

    You have to replace — with –, otherwise it won’t execute properly.

Leave a Reply