Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Clamav?

[polkocholo]

Hello,

how to scan and remove shell & virus whole server via WHM or SSH whit Clamav?

[hya163]

root@pea[/home]# clamscan --help

Clam AntiVirus Scanner 0.96.1
By The ClamAV Team: http://www.clamav.net/team
(C) 2007-2009 Sourcefire, Inc.

--help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--bell Sound bell on virus detection

--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX

--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-trust-all[=yes/no(*)] Trust all loaded bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module)
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block encrypted archives

--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.

root@peafowl [/home]#

[polkocholo]

Dear sir,

please tell me command for scan an remove shell & virus


regards

[hya163]

Dear sir,

please tell me command for scan an remove shell & virus


regards

if you want scan /folder1

clamscan /folder1 -ir --remove=yes


I suggest you use follow command, it will move virus/shell to a folder,
clamscan /folder1 -ir --move=/virus

[polkocholo]

if you want scan /folder1

clamscan /folder1 -ir --remove=yes


I suggest you use follow command, it will move virus/shell to a folder,
clamscan /folder1 -ir --move=/virus

Dear,
Thank you for replay,

when enter command "clamscan /folder1 -ir --remove=yes" display this error

libclamav JIT: *** JITed code intercepted runtime error!
Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytecode failed to run: Unknown error code


Please help me,

[hya163]

Dear,
Thank you for replay,

when enter command "clamscan /folder1 -ir --remove=yes" display this error

libclamav JIT: *** JITed code intercepted runtime error!
Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytecode failed to run: Unknown error code


Please help me,

looks there are some problem with clamav on your server ,have a try re-install clamav in whm ,if still faild, i suggest you submit a ticket to cpanel.

[hya163]

Dear,
Thank you for replay,

when enter command "clamscan /folder1 -ir --remove=yes" display this error

libclamav JIT: *** JITed code intercepted runtime error!
Bytecode run timed out, timeout flag set
LibClamAV Warning: Bytecode failed to run: Unknown error code


Please help me,

--bytecode-timeout=N Set bytecode timeout (in milliseconds)
try add
--bytecode-timeout=0

[polkocholo]

Dear,

thank you for learning


i remove clamav an reinstall it
but when scan print this error:


root@####### [~]# clamscan /home -ir --remove=yes
-bash: clamscan: command not found

[amit2353457]

really helpful information........
Thanks

[polkocholo]

can you help me?

[polkocholo]

--bytecode-timeout=N Set bytecode timeout (in milliseconds)
try add
--bytecode-timeout=0

root@****** [~]# --bytecode-timeout=N
-bash: --bytecode-timeout=N: command not found
root@****** [~]# --bytecode-timeout=0
-bash: --bytecode-timeout=0: command not found
root@****** [~]# bytecode-timeout=N
-bash: bytecode-timeout=N: command not found

[GaryT]

I just looked and replied to another thread you made with the same thing and Ill reply with my same answer:

/usr/bin/clamscan /home -ir --remove=yes

[polkocholo]

thank you
but again display this error

[tier2]

Clamscan is only going to find a small portion of the infected files. This is not a very good way to scan for malware on the server.

If you have an idea of when the site was compromised then I would look for files that were modified or changed within a week of the attack.

find . -mtime -7 -or -mtime +7
and/or
find . -ctime -7 -or -ctime +7

I would also grep to search for common strings found in the various malware. This list of strings is something you will have to build up over time. Some ones to get you started are ones like this:

egrep -Ri "eval\((base64|gzinflate|gzuncompress)" /path/to/files/to/scan

Please keep in mind that these strings will find plenty of false positives. You will have to intelligently figure out if the file is compromised or not. Simply running php /path/to/suspected/file it will output the parse results and you should be able to tell from there. These will usually be at the very top of a file.

There is another thread in the forum that talks about how accounts are compromised with other strings to search for as well:

http://forums.cpanel.net/f185/how-do...er-138617.html

I would look through recently modified files on the account to check and see if there is code at the top of every file that is exactly the same. Or look for iframes that are hidden or are 1px width and 1px height.

This software might actually work better than clamscan to find current malware.

Linux Malware Detect | R-fx Networks

However, I have never used it yet and cannot vouch for its effectiveness. I am about to install it on a new server to test it out though.

Good luck. Feel free to PM me if you need additional help. I am in the process of setting up a service to clean accounts that were hacked for a fee.

[dinar]

Try this

Code:

echo -e "Please check \n" "`locate SnIpEr_SA sniper_sa c99shell r57shell crazy.pl tryag myshell msshell phpshell vbspy JaheeM mpownz ManTiLa indoirc.net NOGROD Bhlynx rfiScan x2300 g00nshell Bigdoz Indoserv Faskalis Indohacker pLuR HacKed AnakDompu cHApoenk Shellbot r3v3ng4ns MaXiMiZeR milw0rm n3oom3 rohitab w4ck1ng PHP-Proxy Locus7s cgitelnet.pl ccteam UNITX_TEAM soqor SpIdEr dark.cgi`" | mail -s "scaning shell hack at `hostname -s` date `date`" yourmail@domain.tld