malware scanner

[xchrix]

hello

how do you protect your servers from malware. i hat the problem that someone installed bad php scripts at an wbespace of a customer. so my ip got listed at a badware index site. so all sites are shown as untrusty because they all have the same ip. i have removed the malware and now i have to wait that google checks again..

do you know some scanner like rkhunter that this doesnt happen again??

[motokochan]

rkhunter and chkrootkit only check for system-level issues (as far as I know). Many malware scripts can be easily obfuscated, so it's difficult to check for a simple text string.

If you are paranoid, you could set up something like tripwire, but it can be very noisy on a webserver, especially when including web files for watching on changes.

[xchrix]

hey thanks for your reply. but i think tripwire is not what i am searching for.
i knwo that many malware scripts are obfuscated but there must be a database for known malware script and how the look like.

we only have to make an scanner which scans all html/php files in /var/www/virtual and checks if the code looks the same as an known malware script. i know that we cant get 100% of the scripts out there but old scripts wont work anymore.

[kilburn]

Have you tried using clamdscan (the file scanner from clamav)? I'm not sure that it will catch these kind of trojans/redirectors, but I would give it a try. Additionally, infected scripts used to try commands or send e-mails tend to be noisy and/or make strange requests, so logwatch monitoring your apache logfiles should be a good way to catch them...