We can accept spiteful commands and the Maldet tool, ClamAV to find spiteful code on your website content.
Here is a little bit of code that I run. It seeks within cgi and php files for real strings, and then places the file name within a different file so that you can go through them:
find /home/ \( -name “*.cgi” -o -name “*.php” \) -print0 | xargs -0 egrep -l ‘c99shell|r57shell|WebShell|phpshell|shell|c100|base64’ >> /root/report
netstat -anp : Look for programs attached to ports that you did not install / authorize
find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world-writable lists and catalogs. This will reveal places where an intruder can store files on your policy. NOTE: Fixing support on some PHP/CGI scripts that are not correctly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses warning data from network edge interference detection systems to extract malware that is actively being used in attacks and creates signatures for detection. Please use the following link to download and install Maldet.
Download malware detect
tar -zxvf maldetect-current.tar.gz
Once installation completed.
try to scan your files.
maldet -a /home/?/public_html
This will scan all your account files… This should be preferred with a screen.
To scan one particular folder, use this option.
maldet -a /home/testuser
Simply log into WHM, go to the cPanel section and click “Plugins.” Check the box next to “clamavconnector” and click Save at the bottom of the page. This will install ClamAV.
Update antivirus database:
Scan a directory and print out infected files:
clamav -ri /home
Scan a directly and remove infected files and emails:
clamav -ri –remove /home