How to scan server for malware?

Up to 6,000 websites are blacklisted by Google every day for serving malware. Almost all of these pages are known as “compromised sites,” meaning that without the knowledge of the owner of the domain, it was infected with malware.

In SEO ranking and business credibility, a malware infection may lead to loss. It could take weeks to build back the site traffic, if not months.

We perform these four tasks to keep your server free from malware in our role as support engineers for web hosts.

1. Setup file upload scanning

Malware gets into the server primarily by two means:

  • Software exploits – Web application vulnerabilities like Cross Site Scripting (XSS), Remote File Inclusion (RFI), etc. enable attackers to upload malware.
  • Using stolen login details – Attackers use phishing mails, brute force attacks, or drive-by-downloads to steal FTP or web application login details. It is then used to infect websites.

Using an upload-time file scanner for Email, FTP and Web disk services to fight these channels of infection.

Several FTP servers make it possible to interact with anti-virus software. Similarly, malware-scanning tools such as ModSecurity can be combined with Web Application Firewalls.

Note that, however, this may lead to legitimate uploads being flagged as a virus. So, keeping an eye on logs is critical, and creating custom rules to fit your server.

ClamAV anti-virus can be integrated with ModSecurity web app firewall to detect malware uploaded via web interfaces

2. Configure process scanning

A “process” is a task executed by the server. Eg. For eg. If an image from a website is requested by your browser, a task (aka process) is generated with a unique ID to give you that image.

Such user requests are usually completed in a few seconds. So it’s likely to be malicious if a user’s task is shown to be running for more than 10 seconds.

Malicious long-running processes that are triggered by a user script may be

In Windows, several anti-virus applications have process monitoring (aka scanning) switched on by default. But, you may need to install and configure process monitoring directly on Linux servers using software such as Linux Failure Daemon (LFD).


3. Setup file scanning based on filesystem change

A perfect way to snag malware is to search files while uploading, but it might not be possible to track all channels on certain servers (such as file share, web panel upload, etc.).

You can set up anti-virus tools to track changes to the filesystem in such situations, and scan all newly changed (or created) files.

Filesystem changes can be tracked on Linux servers using a kernel feature called inotify. One such tool using inotify to cause malware scans is Maldet (aka LMD).

4. Schedule periodic full server scanning

There are not always up-to-date anti-virus databases. Therefore, it is possible that any malware might be uploaded to the server before the anti-virus database had its signature enabled.

So, it’s good practice to search the entire server at least once a day for malware.

Some software, such as RkHunter, ChkRootkit and Lynis, can detect compromises at the administrator level. Here’s the RkHunter screenshot.

You may use Maldet, ClamAV or any of these other scanners for webspace scanning.

Bonus tip – Use multiple anti-virus databases

All malware that is on the internet cannot be protected by any single provider. So, gathering malware signatures from a wide variety of vendors is easiest.

There are several free signature databases of malware, such as SaneSecurity, ScamNailer, ExtremeShock, etc., which can increase the detection rates of malware on your server.

Using several anti-virus software on Windows servers, such as ClamWin, Malwarebytes, and Microsoft Security Essentials.

In short..

Because of malware infections, thousands of websites get blacklisted every day. It is possible to prevent nearly all of these infections by following a few best practices in malware scanning. We’ve run through the top 4 ways of setting up and using anti-malware software today.

Bobcares allows online companies of all sizes, using tried and tested technologies, to achieve world-class security and uptime. We will be happy to talk to you if you’d like to know how to make your server more reliable.