Strange VPS Requests: Malware Check

TL;DR

Your VPS is getting odd HTTP requests, possibly from a previous malware infection. This guide helps you investigate and clean up any remnants.

1. Initial Investigation – Logs are Your Friend

1. Access your server logs: The most common places are /var/log/apache2/access.log (Apache) or /var/log/nginx/access.log (Nginx). Use a text editor like nano or vim, or the tail -f command to view them live.

   sudo tail -f /var/log/apache2/access.log

2. Look for patterns: Identify the strange requests. Pay attention to:
   • IP addresses: Are they from known bad locations? Use a website like AbuseIPDB to check.
   • URLs: What are they trying to access? Malware often uses specific, hidden URLs.
   • User-Agent strings: Unusual user agents can indicate bots or malicious scripts.
   • HTTP methods: Are they using POST requests with strange data?
3. Time of activity: When are these requests happening? Scheduled tasks might be involved.

2. Check for Suspicious Files

1. Scan your home directories: Look for recently modified files, especially in user accounts that may have been compromised.

   find /home -type f -mtime -7

2. Look for hidden files and directories: Malware often hides its files. Use ls -la to show all files, including those starting with a dot (.).

   ls -la /var/www/html

3. Check cron jobs: Cron jobs are scheduled tasks that could be running malicious scripts.

   crontab -l

   Also check system-wide cron files in /etc/cron.d/ and /etc/crontab.

4. Examine web server configuration: Check your Apache or Nginx config files (usually in /etc/apache2/sites-available/ or /etc/nginx/sites-available/) for any unusual directives.

3. Malware Scanning

1. Install a malware scanner: Several options are available, such as:
   • ClamAV: A free and open-source antivirus engine.

     sudo apt update && sudo apt install clamav

     Then run a scan:

     sudo clamscan -r /var/www/html

   • Rootkit Hunter (rkhunter): Detects rootkits and other hidden malware.

     sudo apt install rkhunter && sudo rkhunter --checkall

2. Update the scanner database: Before scanning, make sure your scanner has the latest definitions.

   sudo freshclam

3. Run a full system scan: Scan all critical directories and files.

4. Remove Identified Threats

1. Delete malicious files: Carefully remove any files identified as malware by the scanner.

   sudo rm /path/to/malicious_file

2. Remove suspicious cron jobs: Edit your crontab file (using crontab -e) and delete any entries you don’t recognize or trust.
3. Restore from backup (if available): If you have a recent, clean backup, restoring it is the safest option.

5. Security Hardening

1. Update your software: Keep your operating system and all installed packages up to date.

   sudo apt update && sudo apt upgrade

2. Use strong passwords: For all user accounts, especially root.
3. Enable a firewall: UFW (Uncomplicated Firewall) is easy to use.

   sudo ufw enable && sudo ufw default deny incoming && sudo ufw allow ssh

4. Regularly monitor your logs: Set up log monitoring tools to alert you of suspicious activity.
5. Consider two-factor authentication: For SSH and other critical services.