Scan CentOS for Malware, Viruses, and Rootkits

Last modified: July 30, 2020
You are here:
Estimated reading time: 4 min

An adequately updated configuration file and the regularly updated system gives an extra layer of protection to your server. But it is essential to scan your system for malware, viruses, and rootkits frequently. Regular scanning helps to make sure that your server is clean from malware, virus, and rootkits. In this tutorial, we can check different tools to Scan CentOS Server for Malware, Viruses, and Rootkits.

Different tools help to scan your CentOS system, and some of them are:

  • ClamAV
  • Rkhuter
  • chkrootkit
  • ISPProtect and more

Let’s get started with the ClamAV first.

1) ClamAV

ClamAV is an open-source antivirus engine that is free and versatile. This scanning engine is available on the majority of the Linux distributions.

To install ClamAV on CentOS, run the following command as a sudo user.

$ sudo yum install clamav clamav-update clamav-server-systemd  clamav-scanner-systemd

After the installation, edit the two configuration files by commenting out the example text by using the following sed commands.

$ sudo sed -i -e “s/^Example/#Example/” /etc/freshclam.conf
$ sudo sed -i -e “s/^Example/#Example/” /etc/clamd.d/scan.conf

Next, update the virus database for ClamAV by running the following updater application.

$ sudo freshclam

After updating the virus database, you can run a scan at a directory by using the following command.

$ sudo clamscan -r -i <Directory_name>

In the above command, <Directory_name> tag is the location to scan. For example, to run the scan at the /xyz directory, run the following command.

$ sudo clamscan -r -r /xyz

To perform a complete scan of your server, run the following command.

$ sudo clamscan --infected --recursive --exclude-dir=”^/sys” /

If you scan the /sys directory, it throws unwanted warning printouts.  So the above command excludes the scan in /sys directory to avoid such warning printouts.

2) Rkhunter

Rkhunter is one of the best and standard options to scan your system for rootkits and general vulnerabilities. It is an open-source, powerful, and free scanning tool that can help for rootkit hunting, security monitoring, and to detect hidden security holes. The Rkhunter is also known as Rookhit Hunter or RKH.

To install Rkhunter on CentOS, run the following command with sudo privilege.

$ sudo yum install rkhunter

After the installation, update the file properties database by running the following command.

$ sudo rkhunter --propupd

This above command lets the scanner know about the current state of specific files. This process helps to avoid false alarms during scanning.

After updating the file properties, run the following command to scan CentOS to detect any vulnerabilities or rootkits.

$ sudo rkhunter --checkall

This scanner runs through the system commands, network settings, localhost settings, and files to check for actual rootkits, malware, and vulnerabilities. The findings of the scan get recorded on to a log file.

Run the following command to have a condensed look at the scan log.

$ sudo cat /var/log/rkhunter/rkhunter.log | grep -i warning

3) Chkrootkit

The Chkrootkit is a standard security scanner used to detect the rootkits on your server. A rootkit is a malicious program or file that can take control over your server without your knowledge. The CentOS repository package does not have this tool, so we need to download and configure the latest version.

Since Chkrootkit has a C program, you need to install the C, C++ compiler, and the glibc-static package. To install GCC and the static package, run the following commands.

# sudo yum update
# sudo yum install wget gcc-c++ glibc-static

Download the latest version of Chkrootkit from their website.

# sudo wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

Next, download the md5 hash file associated with Chkrootkit. This hash file helps to verify whether Chkrootkit is tampered or corrupted. Run the following commands to download the md5 hash file and verify the Chkrootkit installation.

$ sudo wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
$ sudo md5sum -c chkrootkit.md5

The above command should give an OK message if the Chkrootkit is not corrupted or tampered.

chkrootkit.tar.gz: OK

Now, extract and install the Chkrootkit by using the following bundle of commands.

$ sudo tar -xzf chkrootkit.tar.gz
$ sudo mkdir /usr/local/chkrootkit
$ sudo mv chkrootkit-0.52/* /usr/local/chkrootkit
$ sudo cd /usr/local/chkrootkit
$ sudo make sense

Run the following command to scan CentOS with Chkrootkit.

$ sudo chkrootkit
or
# /usr/local/chkrootkit/chkrootkit

If you want to enable the automatic server scanning, add the following cron entries to the “/etc/cron.daily/chkrootkit.sh”.

#!/bin/sh

(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHKROOTKIT Daily Run <Server_Name>’ [email protected]

If you are running the Chkrootkit scan on an email server, there is a chance for the below false positive report. You can ignore this false positive report as the port mentioned in error is the Secure SMTP port of your email system.

Checking `bindshell'...                                     INFECTED (PORTS:  465)

4) ISPProtect

The ISPProtect tool helps to scan the website files and CMS systems like Joomla, WordPress, Drupal. A website hosted on a web hosting server is most prompt to attacks. So, it is recommended to do regular sanity checks. The ISPProtect contains 5 engines that help to scan for malware on your website. ISPProtect is a paid software, but you can use the free trial without registration to check and clean the malware on your server. The server should have PHP and ClamAV installed to run the ISPProtect.

To install ISPProtect on CentOS, run the following bundle of commands.

# mkdir -p /usr/local/ispprotect
# chown -R root:root /usr/local/ispprotect
# chmod -R 750 /usr/local/ispprotect
# cd /usr/local/ispprotect
# wget  http://www.ispprotect.com/download/ispp_scan.tar.gz
# tar -xzf ispp_scan.tar.gz
# rm -f ispp_scan.tar.gz
# ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

Next, run the following command to start ISPProtect.

# ispp_scan

The above command checks for updates and prompts for the license key. If you use a free trial version of the ISPProtect software, then you can give the key as a ‘trial’. After that, mention the website path ‘/var/www’.

After filling the key and scan path, the scanner starts the scan. At the end of the scan, the infected file details get displayed on the screen. Also, the report gets stored in a file in the ISPProtect directory for future reference.

To update ISPProtect software, run the following command.

# ispp_scan --update

If you want to run the ISPProtect scan automatically at 2 AM every day, then add the following lines in the cron file created with nano.

# nano /etc/cron.d/ispprotect

0 2  * * *   root            /usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=<Your_emailID> --non-interactive --scan-key=<License_key>

If you want to see the full options of ISPProtect, run the following command.

# ispp_scan --help

 

Was this article helpful?
Dislike 0
Views: 11