Here is a little piece of code that I run. It searches within cgi and php files for certain strings, and then places the file name within another file so that you can go through them:
find /home/ \( -name "*.cgi" -o -name "*.php" \) -print0 | xargs -0 egrep -l 'c99shell|r57shell|WebShell|phpshell|shell|c100|base64' >> /root/report
netstat -anp : This will helps to look for programs attached to ports that you did not install / authorize
find / ( -perm -a+w ) ! -type l >> world_writable.txt : which will look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system.
NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
Now download and install
Linux Malware Detect (LMD).
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd maldetect-1.4.2/
./install.shScan your files:
# maldet -a /home/?/public_htmlThis will scan all your account files. To scan one particular folder, use this option.
# maldet -a /home/usernameUse ClamAVSimply log into WHM, go to the cPanel section and click "Plugins". Check the box next to "clamavconnector" and click save at the bottom of the page. This will install ClamAV.
Update antivirus database:
freshclamScan a directory and print out infected files:
clamav -ri /home
Scan a directly and remove infected files and emails:
clamav -ri –remove /home
