Skip to main content

Scanning your VPS for Malware & Security Threats

If your server is behaving strangely (high CPU load, slow performance) or if you have received an Abuse Notification regarding spam or network attacks, your VPS might be compromised.

This guide provides the standard tools to scan for malware, viruses, and malicious web shells.

1. ClamAV (Antivirus)

ClamAV is the industry standard open-source antivirus engine. It detects trojans, viruses, and malware.

Installation

# Ubuntu / Debian
apt update && apt install clamav clamav-daemon -y

# CentOS / AlmaLinux (Requires EPEL)
dnf install epel-release -y
dnf install clamav clamd clamav-update -y

Updating & Scanning

Update the virus definitions and start a scan of your home directories (where websites usually live).

# Update definitions
freshclam

# Scan recursively and show infected files
clamscan -r -i /home

2. Linux Malware Detect (Maldet / LMD)

Maldet is specifically designed to find malware in shared hosting environments (like PHP backdoors and darkmailers). It uses signatures from active threats.

Installation

cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
./install.sh

Running a Scan

Scan a specific directory (e.g., /var/www or /home):

maldet -a /var/www

You can view the report using the command suggested in the output (e.g., maldet --report 12345).

3. Rootkit Hunter (rkhunter)

Rootkits are malicious software designed to hide processes from the system administrator. rkhunter checks for signs of these.

# Install
apt install rkhunter -y   # (Debian/Ubuntu)
dnf install rkhunter -y   # (RHEL/CentOS)

# Update & Scan
rkhunter --update
rkhunter --check

4. Manual Search for PHP Backdoors

If you suspect a hacked WordPress or Joomla site, attackers often hide code using base64 encoding. You can search for these patterns manually.

Run this command in your webroot to find suspicious PHP files:

grep -r --include=*.php "eval(base64_decode" /var/www/html/
Note: Not all results are malware (some legitimate plugins use this), but it is a strong indicator of a "Web Shell".

5. External Website Scans

Sometimes the infection is visible in the HTML of your site (e.g., SEO spam or redirects). Use an external scanner to verify the public-facing part of your site:

Found Malware?
If your scan confirms an infection, the safest path is always to restore a clean backup from before the infection occurred.
Simply deleting the malware file often leaves hidden backdoors behind.