Unexpected behaviors on a Linux server or desktop could be the result of a Malware infection and need to be investigated as soon as possible. Linux computers have a wrong reputation for being completely safe and virus free, despite the layers of security and sudo authentication contribute to a more secure OS, this statement ends up leading many users to neglect their installations and consequently their security. Periodically scanning your linux computer with specialized programs is highly recommended, especially for those people who have the habit of running any internet code with sudo , don't do that, seriously !
There are excellent programs that can help identify compromised systems and possible threats on your machine. In this article we'll cover 3 programs that I use and recommend:
- ClamAV
- Sophos Antivirus
- Rkhunter
- Chkrootkit
Update your package information
First of all let's update our OS packages:
$ sudo apt-get install clamav clamav-daemon
ClamAV
THE ClamAV is a very popular open source antivirus that is available on many platforms, including most Linux distributions .
Install with the command below:
$ sudo apt-get install clamav clamav-daemon
After installation we need to update the antivirus database ClamAV :
$ sudo freshclam
Now that our antivirus is up to date we can begin our investigation by scanning the folder home :
$ sudo clamscan -r /home
If everything goes as expected and there are no infected files in your folder home , the command nothing will return .
How to test if the antivirus really works?
To test it, we can download a harmless file that is intended to be easily identifiable by antiviruses. Run the following command to download the program into your folder home :
$wget -P ~/ http://www.eicar.org/download/eicar.com
Now rescan your home folder with the same commands as in the first step and note that you will receive a message informing you that an infected file has been identified. Now that you've confirmed that it works, run the command below to scan and remove the infected file:
$ sudo clamscan --infected --remove --recursive /home
Be very careful when running the command with the remove option, always run an initial scan without it so as not to delete any files that could be falsely identified by mistake.
To do a complete analysis of your server run the command below:
$ sudo clamscan --infected --recursive --exclude-dir="^/sys" /
This command checks all directories recursively, skipping only the folder. /sys to avoid unnecessary alerts.
Sophos Antivirus
To install antivirus sophos we need to create an account on the official website and accept the terms to download the tarball file that contains the installation.
Download in an easily accessible location and extract the tarball file:
$ tar xzf sav-linux-free-9.tgz
Navigate to the extracted folder and run the script installation:
$cd sophos-av
$ sudo ./install.sh
Accept the End User License Agreement ( EULA )
Once the installer starts we need to accept the license agreement. Scroll down to the end and accept to proceed with the installation:
...
I accept the Sophos End User License Agreement and acknowledge the Sophos Privacy Policy. Yes(Y)/No(N)[N]
> Y
Select the place of installation. By default the installation will take place in the folder /opt/sophos-av :
Where do you want to install Sophos Anti-Virus?[/opt/sophos-av]
> ENTER
Then we can choose to activate the "on-access scan mode", I recommend that you activate:
Do you want to enable on-access scanning? Yes(Y)/No(N)[Y]
> ENTER
Now Sophos will ask for permission to update automatically, I recommend that you activate to always keep up to date the new identified Malwares:
Sophos recommends that you configure Sophos Anti-Virus to auto-update.
It can update either from Sophos directly (requiring username/password details) or from your own server (directory or website (possibly requiring
username/password)).
Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n)[s]
> ENTER
Now select the free version by typing " f " and pressing enter.
Do you wish to install the Free(f) or Supported(s) version of SAV for Linux?[s]
> f
After all questions are finished and installation is finished, a result similar to the one below should be returned:
Fetching free update credentials.
Installing Sophos Anti-Virus.
Selecting appropriate kernel support...
Installation completed.
Your computer is now protected by Sophos Anti-Virus.
This means Sophos Antivirus has been successfully installed and is already protecting your computer.
Important commands for using Sophos Antivirus
Check if Sophos Antivirus is running:
$ /opt/sophos-av/bin/savdstatus
Sophos Anti-Virus is active and on-access scanning is running
Enable or disable loading at system startup:
$ /opt/sophos-av/bin/savdctl enableOnBoot savd
$ /opt/sophos-av/bin/savdctl disableOnBoot savd
Enable or disable Sophos Antivirus "on-access mode":
/opt/sophos-av/bin/savdctl enable # Enable
/opt/sophos-av/bin/savdctl disable # Disable
Run an on-demand scan:
$ savscan /home/shadowlik
Rkhunter
Rkhunter is a very famous solution for scanning your system for rootkits and other vulnerabilities. Its installation is available directly from the package manager:
$ sudo apt-get install rkhunter
Once installed, before starting to scan the computer, we need to update its property bank:
$ sudo rkhunter --propupd
This allows the program to know the current status of some files to prevent false alerts. Now let's start scanning:
$ sudo rkhunter --checkall
The program scans for some standard system commands, checking for rootkits, some Malware and also network settings. The result of the analysis is displayed on the terminal and saved in a file. log with the summary of the operation.
To check the result saved in the log file:
$ sudo cat /var/log/rkhunter.log | grep -i warning
Take your time to read the report and consider the tips to improve your system.
Chkrootkit
Chkrootkit is another very popular solution to scan your system for rootkits, it performs a series of useful checks that manage to direct you the way to identify possible vulnerabilities.
$ sudo apt-get install chkrootkit
To scan just run the command below:
$ sudo chkrootkit
Chkrootkit different from Rkhunter does not save any files from log , just returns the result in the terminal. If you want to save the report for later analysis, use the command tee to direct the return to a file on disk.
$ sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log
Now check your file filtering for warnings like warning:
$ sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning
Chkrootkit can be very useful in determining if your machine has been compromised, but don't use it as your only answer, always in conjunction with another program to further analyze possible damage to your installation.
