Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 02-18-2016, 05:43 AM   #1
Registered: Feb 2010
Posts: 45

Rep: Reputation: 0
Cleanup infected webserver


I have a webserver (Debian 8.3 with Apache 2.4 and PHP 5.6.17) and the whole server seems to be infected. I have shut it down for now to investigate and I'm going to setup a new server. BUT, I don't want to just transfer everyone's html_doc to the new server as there could be infected code in there.

There seem to be other processes running with weird names such as "././crond" and "/usr/sbin/apach" running by a sites user.

I've tried various scanners, example 'maldet' and various rootkit scanners etc.
Maldet has detected some code but I can still find files with malicious code in when I look in them.

My question is, how do you guys handle this kind of situation?
Are there other tools to find more dangerous code? And how do you find out HOW they manage to get in to the server in the first place?

I'm very interested in this as I don't want to find my new server infected again and start all over.

I have around 30 sites on this server.

Old 02-18-2016, 09:43 AM   #2
LQ Veteran
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,340
Blog Entries: 36

Rep: Reputation: Disabled
Originally Posted by Patric.F View Post
I'm very interested in this as I don't want to find my new server infected again and start all over.
First and foremost:
Not that I'm typical, or even good at this, but I usually start with the logs in /var/log/* and I look for what stands out.
"sites user" seems like a good starting point.

I usually check for incorrect file permissions.
Anything not File=644 and Directory=755 is immediately suspect, unless it's expected, such as .cgi stuff.
and then compare those files from suspicious stuff in /var/log/*

I do not allow the customer to dictate what permissions they "need".
If you allow "users" to ftp in and edit /var/www/some/path, then ftp credentials are immediately suspect.

I check the logs for files being dropped in /tmp or /var/tmp
I check the logs for wget, curl, lwp-<something>, exec, rm -f, unzip, tar...

maldet -d; maldet -u
using maldet 1.5
clamscan will tell you what's in files that it says are infected.
clamscan does not clean anything, it can move or delete infections, if told to do so, and easily identifies infections.

With 30 some sites, I'd
clamscan -ir /var/www/ > /root/scan.rpt
which will scan recursively and report only infected files.
Examine /root/scan.rpt closely and compare to hits in examining /var/log/*

Wordpress or other popular target platforms? e107, Joomla! up-to-date?
Not up-to-date Plugins are ruthlessly targeted.
What Content "system" are these sites using? What is the common-denominator?
All of them up-to-date?

apache should run as httpd/www-data

That's a basic start. Other more experienced board members, and security pros will offer other techniques I may have missed
without my daily caffeine.

Last edited by Habitual; 02-18-2016 at 09:54 AM.
Old 02-24-2016, 10:02 AM   #3
Registered: Feb 2010
Posts: 45

Original Poster
Rep: Reputation: 0
Man, this was not fun. I scanned the entire server with clamscan and found a bunch, I then examined the logs to see what files where accessed etc.
I thought I got it pretty much cleaned up so I booted it up. It was pretty quiet for a while and then I found that the permissions where all wrong on each vhosts html_doc folder so you could technically access anyone's files if you wanted. I fixed this and then it pretty much stopped.
There where some files left but I think I have found the majority of them now as I've been watching the logs.

I also found a "bug" in maldet. lets say you are in the folder /var/www and run "maldet -a" it won't scan everything in there. For some reason you have to specify the whole path, in this case /var/www/ and then in started to scan everything, with found some more stuff.

Thanks for the tip and everything. This was not fun at all!
Old 02-24-2016, 12:15 PM   #4
LQ Veteran
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,340
Blog Entries: 36

Rep: Reputation: Disabled
Glad it worked out.
I always specify the full path using maldet.
Not a bug. see
maldet --help
Keep an eye on things.
I use this on a critical server (that can send emails)
# 12/10/2015
/usr/local/sbin/maldet -d ; /usr/local/sbin/maldet -u 
/usr/local/sbin/maldet -a /opt/zimbra/store
/usr/local/sbin/maldet --report $(/usr/local/sbin/maldet --report list | head -6 | tail -1 | awk '{print $8}')
Save as somewhere like /root/
chmod 700 /root/
The above script will run and email you the last report from that scan.

Change /opt/zimbra/store to /var/www/
and you should be golden.

Maldet will run every day via cron and email you the report from the run (server permitted) at
00 0 * * * /root/
Good Luck.

Last edited by Habitual; 02-24-2016 at 12:49 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Find and replace malicious strings in infected PHP files on my web server derfing Linux - General 4 09-18-2015 04:03 AM
Locating Infected Files in Logs carlosinfl Linux - Server 5 10-29-2010 02:42 PM
LXer: BleachBit to cleanup unwanted files on your openSUSE LXer Syndicated Linux News 0 04-17-2009 08:30 PM
Is it possible for media files such as ogg mp3 avi files to be infected with a virus? christianunix Linux - Newbie 1 03-21-2009 06:15 AM
clamav: infected files provkitir Linux - Security 2 12-20-2004 02:19 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:04 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration