How to Scan and implement malware audit in Linux

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

Detecting and removing malware from a Linux server involves a combination of manual and automated methods. Here’s a general guide to help you through the process:

Check for Unusual Processes

Use tools like ps, top, or htop to identify any suspicious or unfamiliar processes running on the system.

Here is a full guide on how to list Linux Processes using the Terminal

Review Log Files

Examine system logs for any unusual activities. Check logs such as /var/log/syslog, /var/log/auth.log, and /var/log/messages.

tail -f /var/log/syslog

Look for any errors or suspicious entries.

Here is a full guide on How to check for Apache error logs.

Check Network Connections

Use netstat or ss to inspect active network connections. Look for unexpected connections or high network traffic.

Here is a full guide on How to use netstat command in Linux

Use Antivirus Software

Install and run antivirus software for Linux, such as ClamAV. Update the virus definitions before scanning the system.

sudo apt-get install clamav 
sudo freshclam 
sudo clamscan -r /path/to/scan

Rootkit Detection

Run rootkit detection tools to scan for potential malicious software. Tools like rkhunter and chkrootkit can be helpful.

sudo apt-get install rkhunter
sudo rkhunter --check
sudo apt-get install chkrootkit
sudo chkrootkit

RECOMMENDED READING: How to audit your Linux Server for optimal Security

Review Startup Processes

Checking startup processes and scripts for suspicious entries in Linux is an essential part of system security. Here are some steps you can follow to examine and monitor startup processes

Inspect Startup Services

Check the services that start at boot time. The systemctl command can be used to list and examine services.

systemctl list-units --type=service

Review the list for any unexpected or suspicious services.

Examine Startup Scripts

Explore the system’s startup scripts to identify any anomalies. Startup scripts are typically located in directories such as /etc/init.d/, /etc/rc.d/, or /etc/systemd/system/.

ls /etc/init.d/
ls /etc/rc.d/
ls /etc/systemd/system/

Inspect the content of these scripts for any unusual commands or configurations.

Review Startup Configuration Files

Check configuration files that control startup processes. Common locations include /etc/rc.local or specific configuration files for your init system.

cat /etc/rc.local

Check Auto-Start Applications

Some desktop environments may have autostart directories where applications are launched at login. For example, in GNOME:

ls ~/.config/autostart/

Review the content of these files.

Verify Package Integrity

Ensure the integrity of installed packages using package management tools. Verify that packages have not been compromised.

sudo apt-get update
sudo apt-get check

RECOMMENDED READING: How to automate updating package lists in Linux using cron jobs

Examine Cron Jobs

Inspect the cron jobs for any unexpected or suspicious entries.

crontab -l

Additionally, check system-wide cron jobs:

ls /etc/cron*

RECOMMENDED READING: What are Cron Jobs and how to use them in Linux Systems?

Check for Modified Files

Use tools like find to identify recently modified files.

find / -type f -mtime -1

Verify System Files

Compare critical system files with their original versions from the package manager to identify changes.

  • For Debian-based systems:
debsums -a
  • For RPM-based systems:
rpm -Va 

RECOMMENDED READING: How to manage files and directories on a Linux server?

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.