Malware Scanner and Removal

Malware Scanner and Removal


Shared web hosting companies usually installed server ClamAV virus scanner. This is very helpful to scan PHP files with malware. You need ssh access to the server and our script use PHP Malware signatures to get better detect ratio PHP malware.

We generated bash script for Website Malware Scanning, so no need manually download everything and install. Also if you dont have Root privileges to server, this still work to own home files and folders.

Requirements

Features

  • Automatic cloud-based auto cleanup
  • Malware removal (rename files to suspected)
  • Using ClamAV scanning engine
  • Using PHP malware signatures

Download Script

This script working cPanel/DirectAdmin and others linux servers where clamav scanner is installed.

# wget http://cdn.malware.expert/malware.expert.scanner.sh

Download Direct: http://cdn.malware.expert/malware.expert.scanner.sh

Usage:

Execute or chmod 750 script and then execute:

# bash malware.expert.scanner.sh

Output

 +---------------------------------------------------------------------+
 | Malware Expert - Malware Scanner & Removal (v1.0.6)                 |
 |                                                                     |
 | https://malware.expert                                              |
 | support@malware.expert                                              |
 |                                                                     |
 +---------------------------------------------------------------------+
 | USAGE:                                                              |
 | ./malware.expert.scanner.sh scan <path>                             |
 | ./malware.expert.scanner.sh --exclude='regex_pattern' scan <path>   |
 | ./malware.expert.scanner.sh clean <path>                            |
 | ./malware.expert.scanner.sh restore <path>                          |
 | ./malware.expert.scanner.sh restore <path> force                    |
 | ./malware.expert.scanner.sh delete <path>                           |
 | ./malware.expert.scanner.sh update                                  |
 | ./malware.expert.scanner.sh update force                            |
 |                                                                     |
 | EXAMPLE:                                                            |
 | ./malware.expert.scanner.sh scan ./public_html                      |
 | ./malware.expert.scanner.sh clean /home/user/                       |
 | ./malware.expert.scanner.sh --exclude='\.(zip|tar\.gz)$' scan ./    |
 +---------------------------------------------------------------------+

Scan public_html folder

DirectAdmin or cPanel Server scan current folder:

# bash malware.expert.scanner.sh scan ./

Result Scan

 +----------------------------------------------------------------+
 | Malware Expert - Malware Scanner & Removal (v1.0.6)            |
 |                                                                |
 | https://malware.expert                                         |
 | support@malware.expert                                         |
 |                                                                |
 +----------------------------------------------------------------+

Start scanning in ./

./bbbbbbb.php: {HEX}PHP.Remoteadmin-3.UNOFFICIAL FOUND
./blog.php: {multi}Malware.Expert.base64.isset.strtoupper.eval.0.signature.UNOFFICIAL FOUND
./c99.php: {HEX}php.cmdshell.c99.230.UNOFFICIAL FOUND
./cache54.php: {HEX}php.generic.malware.444.UNOFFICIAL FOUND
./cache-db.php: {multi}Malware.Expert.hidden.joomla.assert.0.signature.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 5
Cleaned files: 0
Deleted files: 0
Skipped files: 0
Manual files: 0

USAGE for automatic cleaning:
# bash ../malware.expert.scanner.sh clean ./

Buy cPGuard for realtime protection with full features

Remove Website Malware

# bash malware.expert.scanner.sh clean ./
 +----------------------------------------------------------------+
 | Malware Expert - Malware Scanner & Removal (v1.0.6)            |
 |                                                                |
 | https://malware.expert                                         |
 | support@malware.expert                                         |
 |                                                                |
 +----------------------------------------------------------------+

Start scanning in ./

./bbbbbbb.php: {HEX}PHP.Remoteadmin-3.UNOFFICIAL FOUND
./blog.php: {multi}Malware.Expert.base64.isset.strtoupper.eval.0.signature.UNOFFICIAL FOUND
./c99.php: {HEX}php.cmdshell.c99.230.UNOFFICIAL FOUND
./cache54.php: {HEX}php.generic.malware.444.UNOFFICIAL FOUND
./cache-db.php: {multi}Malware.Expert.hidden.joomla.assert.0.signature.UNOFFICIAL FOUND

Start cleaning ... (this may take for while)

[MANUAL_] ./bbbbbbb.php
[CLEANED] ./blog.php (blog.php.suspected)
[DELETED] ./c99.php (c99.php.suspected)
[DELETED] ./cache54.php (cache54.php.suspected)
[MANUAL_] ./cache-db.php

----------- SCAN SUMMARY -----------
Infected files: 5
Cleaned files: 1
Deleted files: 2
Skipped files: 0
Manual files: 1


Buy cPGuard for realtime protection with full features

Then you need to manually check every [MANUAL_] reported file and if there is malware to remove that out of code or bad worst case delete whole file.

If you delete files, make sure it’s total malware or it can cause malfunction of the website.

You can use our tutorial Detect Malware and Remove it from source code.

Also we offer Website Malware Removal Service, if you dont know how to clean up website.

Final words

Read more about Malware Expert – ModSecurity rules if you wanna protect your web server from malwares. Also you can use free RBL Database, prevent DDOS attacks to WordPress, joomla and other CMS systems.