Malware Scanning

Malware Scanning

Linux servers can be compromised by malware: crypto miners that consume CPU, web shells that give attackers remote code execution, backdoors that maintain persistent access, and botnets that use your server for DDoS or spam. Malware scanning tools help detect these threats. Unlike on Windows, Linux antivirus (ClamAV) is mainly useful for scanning files that pass through the server (email, uploads) rather than protecting the server itself — the more valuable tools check for common attack patterns and unusual resource consumption.

ClamAV antivirus

sudo apt install -y clamav clamav-daemon

# Update the virus database
sudo freshclam

# Scan a directory
sudo clamscan -r --infected /var/www/html    # -r = recursive, --infected = show only infected

# Scan the entire system (slow)
sudo clamscan -r --infected /

# Run ClamAV as a daemon for on-access scanning
sudo systemctl enable --now clamav-daemon

clamscan output

----------- SCAN SUMMARY -----------
Known viruses: 8700000
Scanned files: 15234
Infected files: 1
/var/www/html/uploads/shell.php: PHP.Webshell.Generic FOUND

Scanning for web shells

# Web shells: PHP/Python/Perl files giving attackers remote code execution
# Most appear in upload directories or are disguised as image files

# Find recently modified PHP files (common after a compromise)
find /var/www -name "*.php" -mtime -7 -type f 2>/dev/null

# Find PHP files in directories that should only have images
find /var/www/html/uploads -name "*.php" -o -name "*.php5" 2>/dev/null

# Look for common web shell indicators in PHP files
sudo grep -rn "eval\|base64_decode\|system\|exec\|passthru\|shell_exec"   /var/www/html --include="*.php" | grep -v ".min.js" | head -20

# Find files with execute permissions in web directories (suspicious)
find /var/www -perm /111 -name "*.php" 2>/dev/null

Finding crypto miners

# Crypto miners are the most common malware on compromised Linux servers
# Indicators: high CPU usage, unusual outbound connections to mining pools

# Check for unusual CPU usage
ps aux --sort=-%cpu | head -10    # High-CPU processes
top -b -n 1 | head -20

# Check for connections to known mining pool ports (3333, 4444, 7777, 14444, etc.)
ss -tunap | grep -E ":3333|:4444|:7777|:14444|:45560"

# Check for hidden processes (processes in /proc not in ps)
for pid in /proc/[0-9]*; do
  pn=$(basename $pid)
  ps -p $pn -o comm= 2>/dev/null || echo "Hidden: $pn $(cat $pid/cmdline 2>/dev/null)"
done | grep "Hidden"

# Check cron jobs for crypto miner startup
sudo crontab -l
cat /var/spool/cron/crontabs/* 2>/dev/null
ls /etc/cron.d/ /etc/cron.hourly/

Automated scanning schedule

# Schedule nightly ClamAV scan of web directories
sudo nano /etc/cron.d/clamav-scan

/etc/cron.d/clamav-scan

0 2 * * * root /usr/bin/clamscan -r --infected /var/www/html   --log=/var/log/clamav/scan-$(date +\%Y\%m\%d).log   && mail -s "ClamAV Scan: $(hostname)" irfan@company.com   < /var/log/clamav/scan-$(date +\%Y\%m\%d).log

# Monitor for high CPU (possible crypto miner)
# Add to /etc/cron.d/cpu-monitor:
*/5 * * * * root ps aux --sort=-%cpu | awk 'NR==2 && $3+0 > 80 {print}' |   mail -s "ALERT: High CPU on $(hostname)" irfan@company.com

Conclusion

For web servers, the most practical malware scanning approach is: weekly ClamAV scan of your web directories targeting known signatures, plus monitoring for web shells (recently modified PHP files in upload directories) and crypto miners (high CPU processes with outbound connections to mining pool ports). ClamAV's virus definitions update daily — ensure freshclam runs regularly. The most important defense against malware is preventing the initial compromise through proper hardening; scanning is for detection after the fact.