Linux Malware Detect (
http://www.rfxn.com/projects/linux-malware-detect/) is a useful utility to scan the account for infected files. Its installation is pretty simple:
cd /usr/src/
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
./install.shDo not run a maldet unless you've installed clamav and ran freshclam to update the database.
yum -y install clamav
freshclammaldet -a /path/to/folder is the basic command to scan the account. e.g:
rook:/root# maldet -a /home/<user>/public_html
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(8862): {scan} signatures loaded: 9876 (8008 MD5 / 1868 HEX)
maldet(8862): {scan} building file list for /home/<user>/public_html, this might take awhile...
maldet(8862): {scan} file list completed, found 9201 files...
maldet(8862): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(8862): {scan} scan of /home/<user>/public_html (9201 files) in progress...
maldet(8862): {scan} processing scan results for hits: 12 hits 0 cleaned
maldet(8862): {scan} [b]scan completed on /home/<user>/public_html: files 9201, malware hits 12, cleaned hits 0[/b]
maldet(8862): {scan} scan report saved, to view run: maldet --report 090412-0757.8862
maldet(8862): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 090412-0757.8862malware hits 12, cleaned hits 0 is the main thing to see. hits shows the number of infected files. This shows there are 12 infected files within this account. The list of infected files can be viewed as maldet --report 090412-0757.8862. Do Note that each report has its own ID. So the Id will be mentioned in the output. If you will run that command the output will be as follows:
malware detect scan report for <hostname>:
SCAN ID: 090412-0757.8862
TIME: Sep 4 07:58:10 -0700
PATH: /home/sagarkau/public_html
TOTAL FILES: 9201
TOTAL HITS: 12
TOTAL CLEANED: 0
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 090412-0757.8862
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/d5870a174968f65345ee22cf$
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/5be1b0eb204f511e95f68ba5$
{HEX}php.cmdshell.fx29.249 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/n.php
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/fa0f3bc2d16b64dd04bd6b1e$
{HEX}php.cmdshell.unclassed.344 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/live.php
{HEX}php.cmdshell.ra1.327 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/crew.php
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/ec67e31a0ccf361433ff268c$
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/6ae6ba59fcaca6cbc7ec9a75$
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/b054a7ad27a73131e5d914ac$
{HEX}PHP.Shell-22 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/javu.php
{HEX}gzbase64.inject.unclassed.14 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/ba26688d4574a2ab193cdb9a$
{HEX}php.nested.base64.510 : /home/sagarkau/public_html/wp-content/themes/dandelion/functions/cache/a7e5c0d871ac53185e166f877486e1d$
===============================================
Linux Malware Detect v1.4.1 < proj@rfxn.com >Thank you,
