+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: malware scanner (/thread-8624.html)
malware scanner - xchrix - 12-01-2009 08:51 AM
hello
how do you protect your servers from malware. i hat the problem that someone installed bad php scripts at an wbespace of a customer. so my ip got listed at a badware index site. so all sites are shown as untrusty because they all have the same ip. i have removed the malware and now i have to wait that google checks again..
do you know some scanner like rkhunter that this doesnt happen again??
RE: malware scanner - motokochan - 12-01-2009 01:20 PM
rkhunter and chkrootkit only check for system-level issues (as far as I know). Many malware scripts can be easily obfuscated, so it's difficult to check for a simple text string.
If you are paranoid, you could set up something like tripwire, but it can be very noisy on a webserver, especially when including web files for watching on changes.
RE: malware scanner - xchrix - 12-01-2009 06:42 PM
hey thanks for your reply. but i think tripwire is not what i am searching for.
i knwo that many malware scripts are obfuscated but there must be a database for known malware script and how the look like.
we only have to make an scanner which scans all html/php files in /var/www/virtual and checks if the code looks the same as an known malware script. i know that we cant get 100% of the scripts out there but old scripts wont work anymore.
RE: malware scanner - kilburn - 12-07-2009 07:47 PM
Have you tried using clamdscan (the file scanner from clamav)? I'm not sure that it will catch these kind of trojans/redirectors, but I would give it a try. Additionally, infected scripts used to try commands or send e-mails tend to be noisy and/or make strange requests, so logwatch monitoring your apache logfiles should be a good way to catch them...