Find and Remove Backdoor on a Linux Server
Please use the “Print” function at the bottom of the page to create a PDF.
This article introduces three tools that can help you identify and remove rootkits and other malware on your server.
Please note: The programs used do not guarantee that every backdoor is found. You can only be really sure when reinitializing the server.
Detect with rkhunter rootkits
Rootkit Hunter checks your server for existing and known root kits.
rkhunter download:
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gzUnpacking:
tar xfz rkhunter-1.4.2.tar.gzSelect the default profile and perform the installation:
sudo ./rkhunter-1.4.2/installer.sh --layout default --installSelect the default profile and perform the installation:
sudo ./rkhunter-1.4.2/installer.sh --layout default --installUpdate of the known-bad and known-good hash database:
sudo /usr/local/bin/rkhunter --update --propupdExecute:
sudo /usr/local/bin/rkhunter --checkFurther information and the rkhunter manual can be found on the official website
CLamAV - The anti-virus scanner for Linux and Windows
The open source anti-virus scanner ClamAV is available for the operating systems Windows, Linux, BSD, Solaris and Mac OS X. Installation packages and source code can be downloaded from the official website.
A description of installation on different operating systems can be found here
Maldetect (Linux Malware Detect)
Maldetect is a ClamAV-based malware scanner for Linux. A working ClamAV installation is therefore a prerequisite for using Maldetect.
Download:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gzUnpacking:
tar xfz maldetect-current.tar.gzStart installation - Replace 1.x.x with the current version number:
./maldetect-1.x.x/install.shUpdate malware definitions:
maldet -uView list of suspicious files - The log name appears after the scan is complete:
maldet --report xxxxxx-xxxx.xxxxMore information about Linux Malware Detect can be found on the official website