The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

scan and remove shell & virus on server via WHM or SSH with Clamav?

Discussion in 'Security' started by polkocholo, Nov 22, 2010.

  1. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    how to scan and remove shell & virus whole server via WHM or SSH whit Clamav?
     
  2. hya163

    hya163 Member

    Joined:
    Sep 7, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    root@pea[/home]# clamscan --help

    Code:
                           Clam AntiVirus Scanner 0.96.1
               By The ClamAV Team: http://www.clamav.net/team
               (C) 2007-2009 Sourcefire, Inc.
    
        --help                -h             Print this help screen
        --version             -V             Print version number
        --verbose             -v             Be verbose
        --debug                              Enable libclamav's debug messages
        --quiet                              Only output error messages
        --stdout                             Write to stdout instead of stderr
        --no-summary                         Disable summary at end of scanning
        --infected            -i             Only print infected files
        --bell                               Sound bell on virus detection
    
        --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
        --leave-temps[=yes/no(*)]            Do not remove temporary files
        --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load
                                             all supported db files from DIR
        --official-db-only[=yes/no(*)]       Only load official signatures
        --log=FILE            -l FILE        Save scan report to FILE
        --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
        --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
        --file-list=FILE      -f FILE        Scan files from FILE
        --remove[=yes/no(*)]                 Remove infected files. Be careful!
        --move=DIRECTORY                     Move infected files into DIRECTORY
        --copy=DIRECTORY                     Copy infected files into DIRECTORY
        --exclude=REGEX                      Don't scan file names matching REGEX
        --exclude-dir=REGEX                  Don't scan directories matching REGEX
        --include=REGEX                      Only scan file names matching REGEX
        --include-dir=REGEX                  Only scan directories matching REGEX
    
        --bytecode[=yes(*)/no]               Load bytecode from the database
        --bytecode-trust-all[=yes/no(*)]     Trust all loaded bytecode
        --bytecode-timeout=N                      Set bytecode timeout (in milliseconds)
        --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
        --exclude-pua=CAT                    Skip PUA sigs of category CAT
        --include-pua=CAT                    Load PUA sigs of category CAT
        --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
        --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
        --structured-ssn-count=N             Min SSN count to generate a detect
        --structured-cc-count=N              Min CC count to generate a detect
        --scan-mail[=yes(*)/no]              Scan mail files
        --phishing-sigs[=yes(*)/no]          Signature-based phishing detection
        --phishing-scan-urls[=yes(*)/no]     URL-based phishing detection
        --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
        --phishing-ssl[=yes/no(*)]           Always block SSL mismatches in URLs (phishing module)
        --phishing-cloak[=yes/no(*)]         Always block cloaked URLs (phishing module)
        --algorithmic-detection[=yes(*)/no]  Algorithmic detection
        --scan-pe[=yes(*)/no]                Scan PE files
        --scan-elf[=yes(*)/no]               Scan ELF files
        --scan-ole2[=yes(*)/no]              Scan OLE2 containers
        --scan-pdf[=yes(*)/no]               Scan PDF files
        --scan-html[=yes(*)/no]              Scan HTML files
        --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
        --detect-broken[=yes/no(*)]          Try to detect broken executable files
        --block-encrypted[=yes/no(*)]        Block encrypted archives
    
        --max-filesize=#n                    Files larger than this will be skipped and assumed clean
        --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
        --max-files=#n                       The maximum number of files to scan for each container file (**)
        --max-recursion=#n                   Maximum archive recursion level for container file (**)
        --max-dir-recursion=#n               Maximum directory recursion level
    
    (*) Default scan settings
    (**) Certain files (e.g. documents, archives, etc.) may in turn contain other
       files inside. The above options ensure safe processing of this kind of data.
    
    
    root@peafowl [/home]#
     
    #2 hya163, Nov 22, 2010
    Last edited by a moderator: Aug 3, 2015
  3. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    Dear sir,

    please tell me command for scan an remove shell & virus


    regards
     
  4. hya163

    hya163 Member

    Joined:
    Sep 7, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    if you want scan /folder1

    clamscan /folder1 -ir --remove=yes


    I suggest you use follow command, it will move virus/shell to a folder,
    clamscan /folder1 -ir --move=/virus
     
  5. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla


    Dear,
    Thank you for replay,

    when enter command "clamscan /folder1 -ir --remove=yes" display this error

    libclamav JIT: *** JITed code intercepted runtime error!
    Bytecode run timed out, timeout flag set
    LibClamAV Warning: Bytecode failed to run: Unknown error code


    Please help me,
     
  6. hya163

    hya163 Member

    Joined:
    Sep 7, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla


    looks there are some problem with clamav on your server ,have a try re-install clamav in whm ,if still faild, i suggest you submit a ticket to cpanel.
     
  7. hya163

    hya163 Member

    Joined:
    Sep 7, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    --bytecode-timeout=N Set bytecode timeout (in milliseconds)
    try add
    --bytecode-timeout=0
     
  8. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    Dear,

    thank you for learning


    i remove clamav an reinstall it
    but when scan print this error:


    root@####### [~]# clamscan /home -ir --remove=yes
    -bash: clamscan: command not found
     
  9. amit2353457

    amit2353457 Registered

    Joined:
    Dec 1, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    really helpful information........
    Thanks
     
  10. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    can you help me?
     
  11. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla


    root@****** [~]# --bytecode-timeout=N
    -bash: --bytecode-timeout=N: command not found
    root@****** [~]# --bytecode-timeout=0
    -bash: --bytecode-timeout=0: command not found
    root@****** [~]# bytecode-timeout=N
    -bash: bytecode-timeout=N: command not found
     
  12. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    I just looked and replied to another thread you made with the same thing and Ill reply with my same answer:

     
  13. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    thank you
    but again display this error
     
  14. tier2

    tier2 Member
    PartnerNOC

    Joined:
    Dec 24, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    Clamscan is only going to find a small portion of the infected files. This is not a very good way to scan for malware on the server.

    If you have an idea of when the site was compromised then I would look for files that were modified or changed within a week of the attack.

    find . -mtime -7 -or -mtime +7
    and/or
    find . -ctime -7 -or -ctime +7

    I would also grep to search for common strings found in the various malware. This list of strings is something you will have to build up over time. Some ones to get you started are ones like this:

    egrep -Ri "eval\((base64|gzinflate|gzuncompress)" /path/to/files/to/scan

    Please keep in mind that these strings will find plenty of false positives. You will have to intelligently figure out if the file is compromised or not. Simply running php /path/to/suspected/file it will output the parse results and you should be able to tell from there. These will usually be at the very top of a file.

    There is another thread in the forum that talks about how accounts are compromised with other strings to search for as well:

    http://forums.cpanel.net/f185/how-does-hacking-take-place-cpanel-server-138617.html

    I would look through recently modified files on the account to check and see if there is code at the top of every file that is exactly the same. Or look for iframes that are hidden or are 1px width and 1px height.

    This software might actually work better than clamscan to find current malware.

    Linux Malware Detect | R-fx Networks

    However, I have never used it yet and cannot vouch for its effectiveness. I am about to install it on a new server to test it out though.

    Good luck. Feel free to PM me if you need additional help. I am in the process of setting up a service to clean accounts that were hacked for a fee.
     
  15. dinar

    dinar Registered

    Joined:
    Feb 25, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Re: Hello, how to scan and remove shell & virus whole server via WHM or SSH whit Cla

    Try this
    Code:
    echo -e "Please check \n" "`locate SnIpEr_SA sniper_sa c99shell r57shell crazy.pl tryag myshell msshell phpshell vbspy JaheeM mpownz ManTiLa indoirc.net NOGROD Bhlynx rfiScan x2300 g00nshell Bigdoz Indoserv Faskalis Indohacker pLuR HacKed AnakDompu cHApoenk Shellbot r3v3ng4ns MaXiMiZeR milw0rm n3oom3 rohitab w4ck1ng PHP-Proxy Locus7s cgitelnet.pl ccteam UNITX_TEAM soqor SpIdEr dark.cgi`" | mail -s "scaning shell hack at `hostname -s` date `date`" yourmail@domain.tld
     
Loading...

Share This Page