Find and Remove Backdoor on a Linux Server

This article introduces three tools that can help you identify and remove rootkits and other malware on your server.

Please note: The programs used do not guarantee that every backdoor is found. You can only be really sure when reinitializing the server.

Detect with rkhunter rootkits

Rootkit Hunter checks your server for existing and known root kits.

rkhunter download:

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Unpacking:

tar xfz rkhunter-1.4.2.tar.gz

Select the default profile and perform the installation:

sudo ./rkhunter-1.4.2/installer.sh --layout default --install

Select the default profile and perform the installation:

sudo ./rkhunter-1.4.2/installer.sh --layout default --install

Update of the known-bad and known-good hash database:

sudo /usr/local/bin/rkhunter --update --propupd

Execute:

sudo /usr/local/bin/rkhunter --check

Further information and the rkhunter manual can be found on the official website

CLamAV - The anti-virus scanner for Linux and Windows

The open source anti-virus scanner ClamAV is available for the operating systems Windows, Linux, BSD, Solaris and Mac OS X. Installation packages and source code can be downloaded from the official website.

A description of installation on different operating systems can be found here

Maldetect (Linux Malware Detect)

Maldetect is a ClamAV-based malware scanner for Linux. A working ClamAV installation is therefore a prerequisite for using Maldetect.

Download:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpacking:

tar xfz maldetect-current.tar.gz

Start installation - Replace 1.x.x with the current version number:

./maldetect-1.x.x/install.sh

Update malware definitions:

maldet -u

View list of suspicious files - The log name appears after the scan is complete:

maldet --report xxxxxx-xxxx.xxxx

More information about Linux Malware Detect can be found on the official website