ispCP - Board - Support
malware scanner - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: malware scanner (/thread-8624.html)



malware scanner - xchrix - 12-01-2009 08:51 AM

hello

how do you protect your servers from malware. i hat the problem that someone installed bad php scripts at an wbespace of a customer. so my ip got listed at a badware index site. so all sites are shown as untrusty because they all have the same ip. i have removed the malware and now i have to wait that google checks again..

do you know some scanner like rkhunter that this doesnt happen again??


RE: malware scanner - motokochan - 12-01-2009 01:20 PM

rkhunter and chkrootkit only check for system-level issues (as far as I know). Many malware scripts can be easily obfuscated, so it's difficult to check for a simple text string.

If you are paranoid, you could set up something like tripwire, but it can be very noisy on a webserver, especially when including web files for watching on changes.


RE: malware scanner - xchrix - 12-01-2009 06:42 PM

hey thanks for your reply. but i think tripwire is not what i am searching for.
i knwo that many malware scripts are obfuscated but there must be a database for known malware script and how the look like.

we only have to make an scanner which scans all html/php files in /var/www/virtual and checks if the code looks the same as an known malware script. i know that we cant get 100% of the scripts out there but old scripts wont work anymore.


RE: malware scanner - kilburn - 12-07-2009 07:47 PM

Have you tried using clamdscan (the file scanner from clamav)? I'm not sure that it will catch these kind of trojans/redirectors, but I would give it a try. Additionally, infected scripts used to try commands or send e-mails tend to be noisy and/or make strange requests, so logwatch monitoring your apache logfiles should be a good way to catch them...