Scan for Malware with ISPProtect

The ISPProtect Malware scanner does not have to be installed, it can be downloaded to e.g. /tmp and used right away. If you want to use the scanner regularly on this server, then please see installation chapter.

Login as root user on the shell of your server and download ISPProtect with wget to the /tmp directory of your server and unpack the tar.gz file.

cd /tmp
wget http://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz

Start the scan process:

./ispp_scan

In a first step, the scanner checks if the system requirements are fulfilled. ISPProtect requires PHP (version between 5.2 – 7.0) and ClamAV.

ispp_scan_1

Enter your ISPProtect license key or the word „TRIAL“ if you have no license key yet and just want to test ISPProtect.

Please enter scan key (or TRIAL if you have none, yet): ← TRIAL

Now the program will ask for the path to be scanned. This is the directory where the websites are stored on your server. In most cases, this will be /var/www or /srv/www for OpenSuSE.

Please enter path to scan: ← /var/www

ispp_scan_2

The scan begins. The Scanner will show the results on the screen and saves the scan result also in the files listed above. The scan progress and estimated scan time is shown.

The scan consists of 3 scan levels. In the first level, the system will be scanned with the signature based scanner, the second scan is a heuristic scan for malware and the third scan scans for outdated cms system versions.

Here is the full output of an ISPProtect scan.

./ispp_scan
       _____  _____ _____  _____           _            _
      |_   _|/ ____|  __ \|  __ \         | |          | |
        | | | (___ | |__) | |__) | __ ___ | |_ ___  ___| |_
        | |  \___ \|  ___/|  ___/ '__/ _ \| __/ _ \/ __| __|
       _| |_ ____) | |    | |   | | | (_) | ||  __/ (__| |_
      |_____|_____/|_|    |_|   |_|  \___/ \__\___|\___|\__|
 __          __  _        _____
 \ \        / / | |      / ____|
  \ \  /\  / /__| |__   | (___   ___ __ _ _ __  _ __   ___ _ __
   \ \/  \/ / _ \ '_ \   \___ \ / __/ _` | '_ \| '_ \ / _ \ '__|
    \  /\  /  __/ |_) |  ____) | (_| (_| | | | | | | |  __/ |
     \/  \/ \___|_.__/  |_____/ \___\__,_|_| |_|_| |_|\___|_|

                                               Version 1.6.1

                    (c) 2015 by ISPConfig UG
                       all rights reserved


Downloading ionCube Loader for your system.
ionCube Check succeeded.
Please enter scan key (or TRIAL if you have none, yet): TRIAL
Please enter path to scan: /var/www
Starting malware scan.
This can take a long, long time depending on the server hardware and the amount of files ...

!!! DO NOT INTERRUPT THE SCRIPT !!!!

After the scan is completed, you will find the results also in the following files:
Malware => /tmp/found_malware_20152911154431.txt
Wordpress       => /tmp/software_wordpress_20152911154431.txt
Joomla  => /tmp/software_joomla_20152911154431.txt
Drupal  => /tmp/software_drupal_20152911154431.txt
Mediawiki       => /tmp/software_mediawiki_20152911154431.txt
Plugins => /tmp/plugins_20152911154431.txt
Starting scan level 1 ...
Scanning 82044 files now ...
Scan level 1 completed. 3 hits.
Starting scan level 2 ...
Scanning 32233 files now ...
Scan level 2 completed. 2 hits.
================================
Found 5 malware file(s)
================================
Malware suspect.globals.eval in /var/www/clients/client16/web30/web/include/resource/post.php
Malware suspect.post.eval in /var/www/clients/client4/web2/web/wiki.php
Malware {HEX}r2h.malware.blue.13 in /var/www/clients/client5/web18/web/webtools_forum/mod.php
Malware {HEX}php.exe.globals.400 in /var/www/clients/client8/web24/web/blog/maintenance/gen.php
Malware winnow.malware.vx.url.929756 in /var/www/webalizer/usage_201509.html
================================
Starting WordPress check. This could take a while ...
Most decent version(s): 4.3.1
Outdated wordpress version: 2.2.2 (newest is 4.3.1) in "/var/www/clients/client9/web2/web"
Outdated wordpress version: 2.2.1 (newest is 4.3.1) in "/var/www/clients/client8/web3/web"
Outdated wordpress version: 2.7.1 (newest is 4.3.1) in "/var/www/clients/client4/web7/web"
Outdated wordpress version: 2.6 (newest is 4.3.1) in "/var/www/clients/client17/web33/web"
Outdated wordpress version: 3.6 (newest is 4.3.1) in "/var/www/clients/client5/web17/web/website"
Outdated wordpress version: 3.5.1 (newest is 4.3.1) in "/var/www/clients/client5/web17/web/old/website"
Outdated wordpress version: 2.8 (newest is 4.3.1) in "/var/www/clients/client22/web39/web"
Outdated wordpress version: 2.8.1 (newest is 4.3.1) in "/var/www/clients/client22/web39/web/wp-content/upgrade/wordpress-2.8.1/wordpress"
Outdated wordpress version: 3.2.1 (newest is 4.3.1) in "/var/www/clients/client10/web25/web"
Outdated wordpress version: 3.0.1 (newest is 4.3.1) in "/var/www/clients/client21/web38/web"
Outdated wordpress version: 3.1 (newest is 4.3.1) in "/var/www/clients/client21/web38/web/wp-content/upgrade/wordpress-3.tmp/wordpress"
Outdated wordpress version: 3.0.1 (newest is 4.3.1) in "/var/www/clients/client21/web38/web/wp-content/upgrade/core/wordpress"
Wordpress check found 0 current and 12 outdated versions.
================================
Starting Joomla check. This could take a while ...
Most decent version(s): 2.5.28, 3.1.3, 3.2.7, 3.4.5
Joomla check found 0 current and 0 outdated versions.
================================
Starting Drupal check. This could take a while ...
Most decent version(s): 8.0.0, 7.41, 6.37
Drupal check found 0 current and 0 outdated versions.
================================
Starting Mediawiki check. This could take a while ...
Most decent version(s): 1.26.0
Outdated mediawiki version: 1.9.3 (newest is 1.26.0) in "/var/www/clients/client8/web9/web/wiki"
Outdated mediawiki version: 1.14.0 (newest is 1.26.0) in "/var/www/clients/client2/web6/web/disabled_9841"
Mediawiki check found 0 current and 2 outdated versions.
================================
Wordpress plugin All In One SEO V1.4.7 in /var/www/clients/client9/web2/web/ is vulnerable to Privilege escalation

 

Install ISPProtect

ISPProtect can be used without installation as outlined in the first chapter. If you like to use ISPProtect regularily, then follow the instructions below to install it permanently on your server.

Login as root user on the shell of your server. Create the installation directory for ISPProtect, I will use /usr/local/ispprotect here:

mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
wget http://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

Now you can start ISPProtect with the command:

ispp_scan

without entering the installation directory first.

 

Update ISPProtect

Run the ispp_scan command, it will notify you when there is a newer version of the scan engine available and will download the update automatically after your approval. The Malware signatures are always updated automatically when you scan your server.

 

Report Malware

ISPProtect contains a built-in malware reporting tool. If you found malware on your server that had not been detected by ISPProtect, then please report it with the following command:

./ispp_scan --report=/path/to/the/malware/file.php

ISPProtect will ask for your approval, before it sends the malware file to our servers. Please do not send files that contain passwords or other sensitive data. Our security researchers will review the reported file (this takes normally 1-2 days) and add a malware signature for it in ISPProtect.

Example:

root@web:/tmp# ./ispp_scan --report=/var/www/web1/tool1.php
       _____  _____ _____  _____           _            _
      |_   _|/ ____|  __ \|  __ \         | |          | |
        | | | (___ | |__) | |__) | __ ___ | |_ ___  ___| |_
        | |  \___ \|  ___/|  ___/ '__/ _ \| __/ _ \/ __| __|
       _| |_ ____) | |    | |   | | | (_) | ||  __/ (__| |_
      |_____|_____/|_|    |_|   |_|  \___/ \__\___|\___|\__|
 __          __  _        _____
 \ \        / / | |      / ____|
  \ \  /\  / /__| |__   | (___   ___ __ _ _ __  _ __   ___ _ __
   \ \/  \/ / _ \ '_ \   \___ \ / __/ _` | '_ \| '_ \ / _ \ '__|
    \  /\  /  __/ |_) |  ____) | (_| (_| | | | | | | |  __/ |
     \/  \/ \___|_.__/  |_____/ \___\__,_|_| |_|_| |_|\___|_|

                                               Version 1.6.1

                    (c) 2015 by ISPConfig UG
                       all rights reserved


ionCube Check succeeded.
Please note that the FULL file is sent to the ISPProtect server.
We will delete all files after investigation but you should NOT SEND files containing LOGIN DATA etc.
Please confirm that you want to send tool1.php (y/N):<- y
Thank you. We have received your report and will check the file.
Be aware that we cannot reply to your report.

 

Report false positives

ISPProtect contains a built-in false positive reporting tool. If ISPProtect listed a file as malware which is not a malicious file, then please report it with the following command:

./ispp_scan --false-positive=/path/to/the/malware/file.php

ISPProtect will ask for your approval before it sends the file to our servers. Please do not send files that contain passwords or other sensitive data. Our security researchers will review the reported file (this takes normally 1-2 days) and add a whitelist signature for it in ISPProtect.

In case the reported file is a HTML file that was generated by a website statistics tool like Webalizer or AWStats that shows the access to a malware in the statistics, then please do not report this HTML file as a false positive.

 

Remove ISPProtect

ISPProtect does not install any software on your server. All you have to do to remove ISPProtect is to delete the ispp_scan* files in the folder where you downloaded ISPProtect.

 

Run ISPProtect in incremental mode

When run as a cron job you might want to do a full scan only once a week or month. In that case you can run a daily scan that just scans files created or modified within the last two (or X) days. Just add --max-age=2 to the argument list for the ispp_scan call and the scanner will skip all files older than 2 (or X) days. Keep in mind that those file dates could be faked, so you should always do a full scan at least once a month.

 

Exclude files from scan

To exclude some files or paths from scan you can use the --exclude and --exclude-from arguments, e. g. to exclude all PNG files, type --exclude=”*.png” (case-sensitive)
To exclude a log directory, e. g. in ISPConfig websites use --exclude=”**/log/*.log”
--exclude can be used multiple times but it might be more convenient putting all the exclude patterns in one file line by line (e. g. /usr/local/ispprotect/excludes.list) and provide --exclude-from=/usr/local/ispprotect/excludes.list or whatever path you chose.

 

Local whitelisting

ISPProtect allows you to create a local whitelist. You can add a file to the whitelist by calling

ispp_scan --whitelist=/path/to/your/file.php

With this a md5 hash of the file is added to the whitelist so every other file with the same content is excluded from further hits.

By default the whitelist is stored in ~/.ispp_scan.whitelist
You can change this path by adding the whitelist-path argument:

ispp_scan --whitelist-path=/home/user/.ispprotect.wl --whitelist=/path/to/your/file.php

You can use the whitelist-path argument on your scans to use the custom whitelist location on your scan runs.

 

Ignoring malware types

You can ignore specific malware types by using the ignore argument, e. g.:

ispp_scan --ignore={ISPP}suspect.eval.base64

This would ignore all malware named {ISPP}suspect.eval.base64 (not recommended, of course). You can use this argument multiple times to ignore more than one malware type.

 

Run ISPProtect as Cronjob

Create a cronjob file to run ISPProtect automatically once a day, week or month on your server as outlined below. I assume that you installed ISPProtect in the /usr/local/ispprotect folder.

nano /etc/cron.d/ispprotect

with the following content:

#
#  ISPProtect cronjob
#
# Minute   Hour   Day of Month       Month          Day of Week        User Command    
# (0-59)  (0-23)     (1-31)    (1-12 or Jan-Dec)  (0-6 or Sun-Sat)    


# Daily ISPProtect cronjob
# 0 3  * * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=root@localhost --non-interactive --scan-key=AAA-BBB-CCC-DDD

# Daily incremental ISPProtect cronjob
# 0 3  * * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --no-version-scan --path=/var/www --email-results=root@localhost --non-interactive --max-age=2 --scan-key=AAA-BBB-CCC-DDD

# Weekly ISPProtect cronjob run on sunday
# 0 3  * * 0   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=root@localhost --non-interactive --scan-key=AAA-BBB-CCC-DDD

# Monthly ISPProtect cronjob
# 0 3  1 * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=root@localhost --non-interactive --scan-key=AAA-BBB-CCC-DDD

How to adjust the cron file:

1) Remove the # in front of one of the 4 cron command lines to activate it.
2) Replace /var/www with the path that shall be scanned.
3) Replace root@localhost with your email address. The Scan report will be sent to this address.
4) Replace AAA-BBB-CCC-DDD with your ISPProtect license key.

 

Deploy ISPProtect with Puppet

Puppet can be used for automatic deployment of ISPProtect in larger server farms. The ISPProtect Puppet module developed by Eelco Maljaars can be found here at Puppet Forge:

https://forge.puppet.com/eelcomaljaars/ispprotect

The source code is also available at GitHub.

https://github.com/eelcomaljaars/puppet_ispprotect/

 

Advanced Options

Run the command:

./ispp_scan --help

to get a list of all available options of the ispp_scan command.

./ispp_scan --help
       _____  _____ _____  _____           _            _
      |_   _|/ ____|  __ \|  __ \         | |          | |
        | | | (___ | |__) | |__) | __ ___ | |_ ___  ___| |_
        | |  \___ \|  ___/|  ___/ '__/ _ \| __/ _ \/ __| __|
       _| |_ ____) | |    | |   | | | (_) | ||  __/ (__| |_
      |_____|_____/|_|    |_|   |_|  \___/ \__\___|\___|\__|
 __          __  _        _____
 \ \        / / | |      / ____|
  \ \  /\  / /__| |__   | (___   ___ __ _ _ __  _ __   ___ _ __
   \ \/  \/ / _ \ '_ \   \___ \ / __/ _` | '_ \| '_ \ / _ \ '__|
    \  /\  /  __/ |_) |  ____) | (_| (_| | | | | | | |  __/ |
     \/  \/ \___|_.__/  |_____/ \___\__,_|_| |_|_| |_|\___|_|

                                              Version 1.12.8

                 (c) 2015-2016 by ISPConfig UG
                       all rights reserved


ionCube Check succeeded.

Call ./ispp_scan [--path=] [--no-version-scan] [--no-malware-scan] [--no-plugin-version-scan] [--email-results=,,... [--email-empty-results]] [--non-interactive] [--quarantine[=xxxxxx] [--all|--restore]] [--scan-key=] [--whitelist-path=/to/hash-file>] [--max-age=] [--show-hits] [--ignore=]
or
Call ./ispp_scan --key-status [--scan-key=]
or
Call ./ispp_scan --update [--email-results=,,...]
or
Call ./ispp_scan --report= [--email=]
or
Call ./ispp_scan --false-positive= [--force-yes] [--email=]
or
Call ./ispp_scan --whitelist= [--whitelist-path=/to/hash-file>]

        --path                  What path should be scanned for malware? If not given, path is asked on script run.
        --no-version-scan       Don't scan for outdated web software (this implies --no-plugin-version-scan).
        --no-malware-scan       Don't scan for malware.
        --no-plugin-version-scan        Don't Scan for outdated wordpress plugins.
        --email-results         Send found malware and outdated software to the provided address(es).
        --email-empty-results           Send scan report to email even if no malware was found.
        --non-interactive       Do not ask for input. You need to provide --scan-key to use non-interactive mode. Automatic updates are disabled.
        --ignore                Malware of this type is not included in results (case-insensitive), e.g. --ignore={ISPP}suspect.eval.base64
                                Can be used multiple times.
        --exclude               You can specify patterns to exclude from files to scan, e. g. --exclude='*.png' to ignore all png files.
                                * is a placeholder for all characters except /. Do exclude full paths, use **, e. g. --exclude='**/log/*.log'
                                Can be used multiple times.
        --exclude-from          To avoid having to specify --exclude many times you can use --exclude-from pointing to a file
                                that contains multiple exclude patterns (same form as for --exclude), one line each.
                                Can be used multiple times.
        --quarantine            Move infected files to quarantine directory.
        --quarantine=YYYYMMDDHHMMSS     Move infected files from a finished run to quarantine directory.
        --all                   Also move possibly malicious files to quarantine directory (higher risk of false positives being moved).
        --restore               Restore all quarantined files of a scan.
        --whitelist             File will be added to the local whitelist.
        --whitelist-path        Path to the hash file for the whitelist. Default is ~/.ispp_scan.whitelist
        --key-status            Check status of provided key (e. g. amount of scans left).
        --scan-key              Provide your scan key for non-interactive mode or the path to the file containing your scan key.
        --show-hits             Show found malware files during scan (you will lose the progress output).
        --max-age               Scan only files newer than X days.
        --update                Update ISPProtect silently and quit. Return code will be 0 on success, 1 otherwise.
        --report                Send a file to ISPProtect server that was accidently not recognized as malware.
        --false-positive        Send a file to ISPProtect server that was accidently recognized as malware.
        --force-yes             Do not ask for confirmation before sending a false positive file to the ISPProtect server.