how to clean a server from malwares

Portal Home > Knowledgebase > Articles Database > how to clean a server from malwares

Posted by sysguru, 12-27-2011, 09:05 AM
whats the best method to clean a server from malwares I v used maldetect but the problem is still there, malware comes again after some time, whats the best method to clean poor websites and server?
Posted by pmabraham, 12-27-2011, 09:54 AM
Good day: Solve the problem, not just the symptoms. http://www.rfxn.com/projects/linux-malware-detect/ along with Clam Anti-Virus (in addition to) can be helpful in detecting Malware. If you use cpanel, Nobody Check can help as well. There are other methods to finding the malware on the server. However, until the root of the problem is solved, the malware will just come back. Frequent malware problems typically means one to several of the following: The server is not secured (hardened)The server was hardened, but is not kept securedThere are one to many vulnerable end user applications on the server Clean up the malware, and then fix the root causes of the problem. Thank you.
Posted by prashant1979, 12-27-2011, 10:12 AM
http://www.rfxn.com/projects/linux-malware-detect/ is a good option to detect and clean malware. Initially you can keep quarantine option off to avoid genuine files from being quarantined. You will get an email report once the malware detect is run. Once you are sure there is no false positive, you can enable quarantine.
Posted by fshagan, 12-27-2011, 10:59 AM
Can you give us a bit more info on the infection? Is it affecting all accounts on the server? Try this within the home folder of an affected account (if you have shell access): Note the space and "." at the end of the command. Some hacks have taken to inserting a PHP command to auto_append a file to any file served by the webserver. In a recent infection I cleaned, the file name was "google_verify.php" and it had the Javascript redirect code that was added at the end of thousands of files. This command was added to the .htaccess file in the account's web root, as well as the /forums/ and other subfolders. You can use that same grep command to look for a unique string of the infection itself. For instance, I noted the infection I recently cleaned had a string of characters like this: "MQv1aN" Helped me find the files so infected.
Posted by SafeSrv, 12-27-2011, 11:37 AM
The characters are always random and the files are always in different places. if you delete them most of the time they come back with a new name and a new method - it could be embedded into files within your site and could be running somewhere else on the system, too many possibilities to list. Depending on your site - to be safe reload the system, reinstall your site software from new packages ( not your own files ) got through whatever other files you have and make sure there are no code or shells hiding as proper names, google search for php shells within files or on your system. Or else get a professional to clean up for you - someone who knows what they are doing.
Posted by mattmackman, 12-27-2011, 10:41 PM
install maldet and RKHunter
Posted by sysguru, 12-28-2011, 01:18 AM
most of the websites are worpdress and joomla sites. only one of the reseller account is affected and it keeps on getting malwares. hard to clean and fix each website under that reseller account.
Posted by fshagan, 12-28-2011, 02:14 AM
I'm using ConfigServer's CXS malware scanner; you can configure your own file signatures to scan for, and get a list of all files with that certain signature. It can also block files uploaded via FTP, SFTP or PHP (FileManager). Its $50, one time fee.
Posted by khunj, 12-28-2011, 03:18 AM
It is not malwares you should be looking for, but one (or more) vulnerability in the site. Find it, patch it and no more malwares afterwards