Detecting Malicious Software: A Guide to Finding Malware Scripts on Linux Servers
- Understanding the type of Linux Threats
- PHP Malware
- Investigative Techniques for Uncovering Malware
- Log File Analysis
- Analyzing Running Processes and Services
- Investigate running processes with
- Investigate network connections with
- Investigate sockets with
- List open files with
- Investigate running processes with
- Detecting with scanners
Linux servers are often considered to be more secure than servers based on other Operating Systems, yet they are not immune to the threat of malicious software such as malware. As the use of Linux continues to grow in the server market, so does the importance of understanding how to detect and manage malware scripts that target these systems. This guide provides a tutorial on finding malware on Linux servers.
If you are a WordPress user and want to read a great article about how to clean malware on WordPress check out: When your WordPress site gets hacked, you are locked out, call wp-cli to the rescue.
Understanding the type of Linux Threats
In later updates of this tutorial I will cover how to deal with Malware and clean them.
Types of Malware on Linux
While Linux is well known for its robust security features, it is not immune to malware. Malicious software on Linux can range from simple
_bash_ scripts to complex programs designed to exploit vulnerabilities or perform unauthorized activities.
One key aspect of Linux malware is its stealth, as it often aims to remain undetected to carry out its objectives over extended periods.
Malware targeting Linux systems can be categorized based on behavior and impact. The most common are:
- Rootkits that maintain unauthorized root type access to the system,
- Trojans that disguise themselves as legitimate server service,
- Backdoors that run a service that provides remote access to attackers,
- Botnets that hijack server resources for coordinated attacks.
PHP as a popular scripting language is well known for its share of malware scripts therefore this article has many examples of detecting PHP malware.
Shell Commands to find PHP malware
These commands can detect possible malicious scripts. It is up to you to closely inspect the content of these scripts.
Dangerous PHP Functions to search for
Here you can find a list of functions usually used in writing malware that might infect your server.
eval()– Evaluate a string as PHP code including running shell function,
system()– Execute an external program,
exec()– Execute an external program,
shell_exec()– Execute command via shell,
passthru()– Execute an external program,
popen()– Opens process file pointer,
escapeshellcmd()– Escape shell meta-characters,
pcntl_exec()– Executes specified program in current process space,
backtick operator– Back-ticks in PHP is used to encapsulate any code that should be run as shell code.
eval within PHP scripts
eval() PHP function will evaluate a string as PHP code so it can be easily misused to hide malicious PHP code.
shell web-shells and backdoors
shell() PHP function executes the given command so it can be misused as a web shell hence acting as a stealth backdoor.
Search for both functions with one command.
Find malware scripts on your server
or searching for these functions with one command
If you do not want the content of the script to be displayed instead just need the name of the file use
File search by the owner
Find out what files were created by the web server which is in this case
Investigative Techniques for Uncovering Malware
Log File Analysis
Log file analysis is a critical component of detecting malware on Linux servers. Administrators can detect potential security breaches by closely examining logs of both system and application activities. It’s important to focus on anomalies that deviate from normal operations, such as:
- failed login attempts,
- unexpected software installations,
- unauthorized changes to system files.
Pay attention to anomalies like unsuccessful login attempts, unexpected software installations, or unauthorized alterations to system files.
Key log files to monitor include:
/var/log/auth.logfor authentication records,
/var/log/syslogfor system-related messages,
/var/log/apache2/access.logfor Apache web server access records,
/var/log/apache2/error.logfor Apache web server error records,
/var/log/nginx/access.logfor NginX web server access records,
/var/log/nginx/error.logfor NginX web server error records,
/var/log/mail.logfor mail server records.
Tip: Consistently check and analyze logs with automated tools to quickly identify potential threats. Creating a baseline of typical activity patterns greatly helps in spotting anything unusual.
When checking logs, search for patterns and connections between events. One unusual incident might not mean malware, but if there are repeated occurrences or a mix of suspicious events, it’s worth investigating further. Use tools like
grep and other command-line options to filter and search through log data effectively. Remember, analyzing logs promptly is crucial to minimize the impact of potential security incidents.
Investigate log files with
Here are some examples.
grep 'failed\|invalid' /var/log/auth.log
Analyzing Running Processes and Services
When checking a Linux server for possible malware, it’s important to look at the processes and services currently running. Malicious software can pretend to be normal system processes, so finding any unusual things is crucial. Use the
ps command to list all running processes and look for those that do not have a clear purpose or that are consuming an unusual amount of resources.
To further scrutinize the services, the
systemctl command can reveal which services are active.
Note: The utilization of CPU and memory percentages as signs of potentially suspicious activity.
Rootkits are a specific worry when checking processes and services. They hide malware and can trick common system monitoring tools. Use rootkit detection tools such as
rkhunter for a more detailed investigation.
Tip: Always compare process lists with logs of network activity. Irregularities in one can often be linked to unusual discoveries in the other, giving a better understanding of possible security breaches.
Investigate running processes with
List every process on the system
List a process tree:
Get security info:
ps -eo euser,ruser,suser,fuser,f,comm,label
To see every process running as
www-data is associated with the web server service, change the user as per your needs.
ps -U www-data -u www-data u
Investigate network connections with
Show open ports and services that are opening them.
Investigate sockets with
ss command is provided by
List source port 80
Display All Established SMTP Connections
Display All Established HTTP Connections
List All The TCP Sockets and process info with source ip address
List open files with
The following command lists all open files that are opened by the
www-data user which in my case is the
NginX web server.
List opened files by
www-data user and filter by
Detecting with scanners
Detecting malware with
Maldet is a great and free software that can detect and quarantine malware. For installation and setup I recommend
To install the role:
ansible-galaxy role install cloudweeb.maldet.
following is the playbook.
- hosts: maldet_group
- [email protected]
- role: cloudweeb.maldet
After the installation a
cron script is created.
Trigger a manual scan execution by running
maldet --scan-all /var/www/.
After the malware scan completes, you can access the results by running