scan for malware, viruses and php eval based infections

In order to keep the linux server as safe as possible I wrote two quick bash scripts that will scan for infected files and then send me an email report to take action.

On the server I have centos with whm/cpanel and as antivirus I use clamav. In order to scan the home directories I use:

rm /my/log/file

for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan --no-summary -i -r /home/$i 2>>/dev/null; done >> /my/log/file

printf "\n" >> /my/log/file
sed -i "1i Subject: Virus Report `date +%m-%d-%Y`" /my/log/file

if [ $? -gt 0 ];
/usr/sbin/sendmail -v [email protected] < /my/log/file

now there is another possibility that some php scripts will have something like:

// a recent attack I've seen
if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;}

In the above case the antivirus won't detect the threat.

To overcome this I created a script that will scan the home directory for scripts containing a certain pattern. Then I manually check them to see if everything is ok

rm /my/log/base64eval_output.txt

find /home -type f -name "*.php" -exec grep -l -e "eval(base" -e "eval(gz" {} + >> /my/log/base64eval_output.txt

printf "\n" >> /my/log/base64eval_output.txt
sed -i "1i Subject: PHP eval Report `date +%m-%d-%Y`" /my/log/base64eval_output.txt
/usr/sbin/sendmail -v [email protected] < /my/log/base64eval_output.txt

You can also directly download your files and then enter them in cron like described bellow

And now the cron:

crontab -e

then add for the last two lines:

0 2 * * 5 /root/scripts/base64eval_scan > /dev/null 2>&1&
0 6 * * * /root/scripts/mails_sent_from_scripts_status > /dev/null 2>&1&

Don't hesitate to let me know if this helped you in some way and of course any improvements / suggestions you may have.

Thank you!