Find and Remove Backdoor on a Linux Server

This article introduces three tools that can help you identify and remove rootkits and other malware on your server.

Please note: The programs used do not guarantee that every backdoor is found. You can only be really sure when reinitializing the server.

I'm going to write a Look up.

Detect with rkhunter rootkits

Rootkit Hunter checks your server for existing and known root kits.

rkhunter download:

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Unpacking:

tar xfz rkhunter-1.4.2.tar.gz

Select the default profile and perform the installation:

sudo ./rkhunter-1.4.2/installer.sh --layout default --install

Select the default profile and perform the installation:

sudo ./rkhunter-1.4.2/installer.sh --layout default --install

Update of the known-bad and known-good hash database:

sudo /usr/local/bin/rkhunter --update --propupd

Execute:

sudo /usr/local/bin/rkhunter --check

Further information and the rkhunter manual can be found on the official website

CLamAV - The anti-virus scanner for Linux and Windows

The open source anti-virus scanner ClamAV is available for the operating systems Windows, Linux, BSD, Solaris and Mac OS X. Installation packages and source code can be downloaded from the official website.

A description of installation on different operating systems can be found here

Maldetect (Linux Malware Detect)

Maldetect is a ClamAV-based malware scanner for Linux. A working ClamAV installation is therefore a prerequisite for using Maldetect.

Download:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpacking:

tar xfz maldetect-current.tar.gz

Start installation - Replace 1.x.x with the current version number:

./maldetect-1.x.x/install.sh

Update malware definitions:

maldet -u

View list of suspicious files - The log name appears after the scan is complete:

maldet --report xxxxxx-xxxx.xxxx

More information about Linux Malware Detect can be found on the official website