4

I was wondering if there was a malware scanner for websites with up to date exploits for use on a Debian webs server with Apache2.2?

Vulnerability scanners are great, but I also want to be sure that undetected hacking attempts that infect my files with malware get's detected.

I already uses these tools to monitor my system:

  • Clam AV (anti virus)
  • Paros (vulnerability scanner)
  • Wapiti (vulnerability scanner)
  • Scrawlr (vulnerability scanner)
  • W3af (vulnerability scanner)
  • Mod_security

EDIT: I am looking for something like the Sucuri scanner just installed on my webserver.

Cudos
  • 529
  • 2
  • 7
  • 18

3 Answers3

2

Sounds like you have them mostly covered. Do you run a file scanner that runs MD5 hashes to monitor file changes, like Tripwire? That's the best way to detect "unknown" hacks, since it will tell you when files are altered and you don't necessarily know how it happened.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • I have been considering tripwire. But some files are use generated and therefor it is a bit difficult to use tripewire in that situation. – Cudos Apr 04 '11 at 15:01
  • Yes, they'd have to be excluded. But system files and many files that would be altered by a hack shouldn't change unless it is system-updated. That's what gets protected. Anything user-generated should be suspect. – Bart Silverstrim Apr 04 '11 at 15:18
2

Looks like you have a good set of check in place.

Securing your files so the server can not write them stops a number of attacks. Changing the ownership to a user id other than www-data and limiting write access to the owner will prevent most attempts to change your content. Limit write access by www-data (the web server) to as few directories and files as possible.

If your content is mostly static you could consider a checksum database like Tripwire.

If your content is in a revision control system, then you can use a read-only id to update the website. Using the your RCS's diff utility will find any changes.

A log scanner such as logcheck can report some attacks.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thanks, I also already limit permissions to 755, 644 and only use www-data for cache and upload of files functionality. Logcheck is new to me. Have to look into that more. – Cudos Apr 04 '11 at 15:00
0

It sounds like you are looking for Linux Malware Detect: http://www.rfxn.com/projects/linux-malware-detect/ . Just make sure you configure it to email you when it detects something (It sets up a daily cron to scan new files by default)

devicenull
  • 5,572
  • 1
  • 25
  • 31
  • 1
    This malware detector does not detects ANY of the common Javascript based infections. i scanned many server with this having a huge number of infected javascript files, it didnt detected even one of them as malware. so in this case its useless – Farhan Aug 08 '12 at 11:32
  • In what case is it useless? You didn't ask the original question, so why do you seem surprised that an answer to a completely different question doesn't work for you? – devicenull Aug 08 '12 at 19:15