Problem
There comes a time when you are like wondering what is happening to your server or in my case a hosting server where i would host my own and my clients websites..
and Baam! You get a warning from your datacenter or hosting provider that your server was sending many spam emails or even worst DOS – Denial of Service attacks.
You are like shit not this again and the timing could not have been worst 🙁
Anyway enough of drama, Below are the steps i have laid out how i go about in solving this problem.
Scanning: ClamAV
The first step is to scan for infected files, this can be done in multiple ways Here is using ClamAV which can be installed on most of the Linux servers.
I have modified, the commandline to simple output the results onto a txt file. This help does not cover the installations of ClamAV on your server, as this can be easily google searched.
cd /tmp
clamscan -r -i /home >> clamlog.txt
Scanning: Rkhunter
The rkhunter tool can be installed using following command on Ubuntu and CentOS based systems.
$ sudo apt install rkhunter
# yum install epel-release
# yum install rkhunter
To check your server with rkhunter run the following command.
rkhunter -c
Scanning: ISPProtect
The first step is to scan for infected files, this can be done in multiple ways but this is what works for me.
There are many scripts out there which can help you detect, but for me ISPprotect has helped, Its a paid one.
They give you a first free scan, So you might be able to try it out first as a trail on one of your servers.
So basically you connect to the server via SSH and run the script.
Instead of running the above script interactively, i let it run it in the background, just incase the connection gets lost.cd /tmp wget https://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz ./ispp_scan
./ispp_scan –path=/home –email-results=root@localhost –non-interactive –scan-key=AAA-BBB-CCC-DDD
ISPProtect Pricing
There Pricing is quiet affordable if you are running serious business. I simply got the 100 scan license option and use it when its required.
Malware Removal
So this part what gets challenging. There are multiple ways of doing this, but there is no single method which solves all problems.
Method1: Delete the infected files
Method2: Anti-Malware from GOTMLS.NET
Since most of the problems i have seen are due to the WordPress site's infections. I use this tool to scan and fix the infected files.