The common perception is that viruses and malware attack only Windows machines, is often a costly one. Granted, Windows is the largest target, but now with more Linux-based systems (think IoT) connected to the internet, there are malware directed at Linux systems as well. There is always a chance that your VPS could get infected with malware, something that could be used to send bulk emails, be a controller in orchestrating a DDoS or for other purposes.
Recent Notorious Attacks
At the start of 2018, RubyMiner was an attack that in it’s initial stage attempted to attack 30% of the world’s internet using an old HTTP vulnerability. The attacker attempted to install a modified version of XMRig, a miner for the cryptocurrency Monero. Though only 700 servers were infected and a net $540 earned by the exploit, as reported by Check Point, it shows that security on Linux servers should not be taken lightly.
In 2017, the Erebus Ransomware was ported to target Linux and in one instance, affecting 153 servers of a South Korean web hosting company. Years earlier, a Java Backdoor affected Linux servers. Once affected, the servers became a bot in a DDoS attack on an unnamed bulk email service
A classic rootkit scanner, it helps you search for suspicious rootkit processes and finds known rootkit files. Running as a shell script, it checks system binaries for modifications and reports file modifications. It can also identify lastlog deletions and various LKM Trojans.
chkrootkit can be installed on Ubuntu/Debian systems via a simple apt-get command. For other flavors, you can download and compile the source code from the website (http://www.chkrootkit.org/download/).
When installed via apt, a cron job is available with parameters controlled by the configuration file. You may edit the configuration file (/etc/chkrootkit.conf) and make it run daily. For instances where the code is compiled from source, setup a cron job to run daily at a time of your choice.
chkrootkit (and in general most malware detection systems) identify malware by searching for “signatures” in binary files that commonly identify a compromised file. This means that an attacker could modify a known “signature” and still compromise a system. Fortunately, chkrootkit has a solution. Let us say, the new signature is a reference to a cryptocurrency name (fictionally, VRUS) , you could run chkrootkit in expert mode (-x option) and search for this like so
# chkrootkit –x | egrep ‘VRUS’
This makes chkrootkit versatile to find new threats even before a new version is rolled out by the developers
rkhunter, or rootkit hunter is another active tool that identifies common rootkits and removes them. You can install rkhunter after downloading it from their sourceforge repository.
rkhunter needs to run once and set the values of the current system as “clean” and store this information in a rkhunter.dat file. Each subsequent run works by comparing against this database. Therefore, if you already suspect a compromised server, rkhunter would not really help.
ClamAV is a very popular anti-virus tool that is used both on linux desktops and servers. While the desktop version can be setup with a GUI (via the installation of ClamTK), the command line version is perfect for servers. ClamAV can be installed via apt/yum (CentOS requires installing the epel repo).
ClamAV also has a component called freshclam, which updates the virus definition database on a daily basis by downloading a main.cvd and daily.cvd files. ClamTK greatly helps in setting up scheduled scans, but for the cli version, you will have to rely on setup a cron job. Set it up to run on a daily basis at a time when the server load and traffic are minimal.
Sophos-AV is a free software from Sophos that provides on-demand and scheduled anti-virus and malware detection using Live Protection. Download the latest version from the Sophos website and run the install script.
A key differentiator here in Sophos’ favor is that it prevents your server from being a distribution point for other platform viruses. If a hacker replaced your valid download – an .exe file for your Windows users, with a virus infested one, Sophos will detect and mark the file for your action.
Finally, we will look at Maldet, (Linux Malware Detect) which is an open source scanner that works best when the node is used for shared hosting. It detects php backdoors, bulk mailers and other malicious files uploaded on the server. Though not available directly from any base repositories, it is available as a tar file for download and installation. Maldet uses latest threat information from the network with an option for users to submit suspected malware via their LMD Checkout feature.
On cPanel servers, it is recommended to install ClamAV as well, for maldet to use the ClamAV engine for better detection.