Random Linux

Linux, video games and web hosting

ClamAV is a popular malware scanner that can help to find malware on your accounts. You are able to find more information about that at the following link:


This software has many built in definitions that will find *most* of the malicious files under your accounts. It can find many shells, phishing sites and other malware. We won’t be able to cover all of the different options available in ClamAV in this article, but we will cover the parts that you will need to initially locate the malware so that it an be removed.

To install that, all you will need to do is run the following command.

If you are on a RedHat based OS, such as CentOS, you can install it with

yum install clamav

If you are using debian, you can use

apt-get install clamav

Once that is installed, you will want to run the freshclam command so that the definitions are updated to the most recent.

[email protected] [/home/user]# freshclam
ClamAV update process started at Thu Jan 12 04:41:48 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 14300, sigs: 70715, f-level: 63, builder: guitar)
bytecode.cvd is up to date (version: 160, sigs: 38, f-level: 63, builder: edwin)

Then, you can use the clamscan command to run the scan. You will also want to use a couple of flags to only show the infected files, to search recursively, and to log your findings to a log file. The i limits the output to only infected files, the r flag means to recurse through the directoies and the l flag with a file name will log the scan to that file.

[email protected] [/home/user/public_html]# clamscan -ir -l log.txt

———– SCAN SUMMARY ———–
Known viruses: 1113857
Engine version: 0.97.3
Scanned directories: 139
Scanned files: 1602
Infected files: 0
Data scanned: 29.30 MB
Data read: 15.53 MB (ratio 1.89:1)
Time: 6.608 sec (0 m 6 s)

If a malicious file is found, it will show the path to the file and why it was flagged.

[email protected] [/home/user/public_html]# clamscan -ir -l log.txt
/home/user/public_html/thing.php: PHP.Shell-38 FOUND

———– SCAN SUMMARY ———–
Known viruses: 1113857
Engine version: 0.97.3
Scanned directories: 2412
Scanned files: 20511
Infected files: 1
Data scanned: 354.85 MB
Data read: 832.57 MB (ratio 0.43:1)
Time: 102.922 sec (1 m 42 s)

The output of the scan will also be logged to a file called log.txt if you run the command as it is in the example. You can then get the timestamps from that file and find the source, remove the file and patch the problem.

January 13th, 2012

Posted In: General

Tags: , , , , ,

Leave a Comment