Data Centers

How to check your Linux servers for rootkits and malware

Linux is a reliable, secure choice for your data center. Even so, doing regular checks for rootkits and malware is always an advised best practice. Jack Wallen shows you how.

Image: Jack Wallen

If your data center makes use of Linux, you want to ensure those servers are free from both rootkits and malware. Although Linux, in general, is safe from a vast amount of malicious software, it is a mistake to assume it completely impervious. Not only could you wind up with a data-destroying rootkit, if one of your Linux machines happens to work as a web server, that machine could have been compromised and is now serving up malicious code.

How do you avoid such issues? You take precautions. One such precaution is using the right tools to scan your machines for both rootkits and malicious code. I want to walk you through the process of installing and using two tools that will scan for both. I'll be demonstrating on Ubuntu Server 16.04, so if you use a different platform, adjust accordingly.


The first check we want to run is for rootkits. One tool that serves this purpose is called chkrootkit. This tool is fairly straight-forward and can be installed with the command:

sudo apt-get install chkrootkit

To run the check, issue the command:

sudo chkrootkit

The check will run (Figure A) and take some time to complete.

Figure A

Figure A

So far so good with the rootkit check.

When chkrootkit begins to search for sniffer logs, the process will seem to stop; this is normal, so you might as well busy yourself with something else.

If you get a positive hit from chkrootkit, it will be important to do a bit of research, as there are known false positives. On a scan of Ubuntu Server 16.04, the following was reported:

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

This is one of the known false-positives (related to the openssh-server package) and can be ignored.

If you receive any other warnings or errors, be sure to immediately research what chkrootkit reports. The application will not instruct you on how to fix the problem, only that the problem exists.


Now let's install an application that will search our web server for malicious software. For this we'll use ISPProtect. Do note this software is not free. You can use it as a trial, but eventually you will have to pay the $7.92/month for the full license. To install this software, issue the following commands:

sudo apt-get install php-cli
sudo mkdir -p /usr/local/ispprotect
sudo chown -R root:root /usr/local/ispprotect
sudo chmod -R 750 /usr/local/ispprotect
sudo cd /usr/local/ispprotect
sudo wget
sudo tar xzf ispp_scan.tar.gz
sudo rm -f ispp_scan.tar.gz
sudo ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

To run the scan, issue the command sudo ispp_scan. You will then be prompted to either enter your scan key (Figure B - if you've purchased a license) or type TRIAL (if you've not purchased a license).

Figure B

Figure B

Enter your scan key or TRIAL when prompted.

Next you will be asked to enter the path for scanning. Since ISPProtect is a web scanner, you will want to enter the document root of your web server (such as /var/www). Type the path of your document root and hit the Enter key on your keyboard and the scan will begin.

Depending on how much data and how many sites you have in your document root, this scan does go deep, so it can take some time. In the end, you should be given a complete report on the results (Figure C).

Figure C

Figure C

The ISPProtect report.

You can set this scan up as a cronjob for automated hourly scanning (which I highly recommend). To do this, issue the command sudo nano /etc/cron.d/ispprotect and copy the following:

0 * * * * root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=EMAIL --non-interactive --scan-key=KEY

Where EMAIL is an email address for reports to be mailed to and KEY is the scan key purchased from ISPProtect. The —update option will ensure that ISPProtect signatures are always up to date. Save and close that file.

If hourly scanning is too frequent, you can always modify the above cronjob for:

  • 0 1 * * * - every day at 1 AM
  • * */2 * * * - every other hour
  • * */3 * * * - every third hour

The results of the scan will be automatically emailed to the address you provided in the cronjob.

Keep it clean

Using Linux in your data center is a smart idea. Assuming those servers will be clean and clear from malicious software, by default, is not such a smart idea. Make sure to use the right tools to ensure your Linux data center servers are free from rootkits and malware and they'll serve you well for a very long time.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website

Editor's Picks

Free Newsletters, In your Inbox