ClamAv not bad copes with the search for shells and viruses on sites. One day, he helped me discover a shell cast on a site with WordPress. The problem turned out to be in some kind of plugin, but this is already beyond the scope of the article. :)
First you need to install ClamAv:
aptitude install clamav
After installation, be sure to update the virus databases by typing the freshclam command in the console. The result of the update is displayed.
root @ localhost: ~ # freshclam ClamAV update process started on Wed Jul 16 11:08:02 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily-19193.cdiff [100%] daily.cld updated (version: 19193, sigs: 1082296, f-level: 63, builder: neo) bytecode.cld is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard) Database updated (3506567 signatures) from db.local.clamav.net (IP: 18.104.22.168)
After the update process, you can run a scan. The command is simple:
clamscan -i -r / path / to / site
The -i switch displays only infected files in the scan report.
The -r switch will tell the scanner to scan directories recursively.
When using this command, the scan result will be displayed in the console. If there are many files, and there is no time to follow the console (or desire :)), then you can run a scan in the Screen shell.
If necessary, install it:
aptitude install screen
The scan is launched in this case as follows:
screen -A -m -d clamscan -i -r -l clamlog.txt
The -A -m -d keys for screen start the session minimized. To maximize the screen window, use the screen -r command.
Minimize the window with the scanning process by pressing the keyboard shortcut ctrl + a + d .
Scanner key -l, which will write the scan log to a text file, the name of which must be specified immediately after the key. Information about the found vulnerabilities will not be displayed on the console screen when using screen, since with the completion of scanning the screen also ends its work.
You can also scan files from the list. To do this, specify the -f key and the file containing the list of files to check.