Blazescan is a linux webserver malware scanning and incident response tool, with built in support for cPanel servers, but will run on any linux based server. If you are using consider reporting back unknown malicious files so we can add signatures for malware going forward.
git clone https://github.com/Hestat/blazescan.git cd blazescan ./install.sh
During the install will check to see if Clamscan is present, if not please install ClamAV first.
Follow the install procedure best suited for your OS.
Additionally will ask if you want to install Maldet and WPCLI to take advantage of all supported features.
simply start with
Blazescan is a malware scanning tool that uses clamav and custom malware databases
If you run blazescan without any arguments it will present a simple scanning menu -a will scan all cpanel accounts -A will use Agressive mode to scan all cpanel accounts uses clamd to run multicore scans, can increase load -u will scan the specified cpanel user -l will show the results of the last scan -t will display ctime of the hits in the last scan -d scan a directory of your choosing -w will run a scan on the directory of your choosing with wordpress checks included -f will run search for all files in the directory given and record ctime of all files -i provide a file to pull vital stats about the file -m will email the list of hits from the last scan, set email in blazscand.conf Mailtoaddress -n will provide an overview of logged in users and network traffic -N will run a tcpdump for a specified time period and write the data to a file for later analysis -U will check for updates, and allow you to perform any available updates -R will allow you to report a malicious file back to add a signature use this if you encounter new malicious code that is not detected -h will display the help menu
By default the scanner will use the rules at https://github.com/Hestat/lw-yara
It will also use the maldet rules if installed http://www.rfxn.com/projects/linux-malware-detect/
runs using clamav as the scanning engine, will need to be installed and at least version 98+ to function properly.
Malware signatures update automatically.
To update the scanner to the latest version either reclone and run the install script again, or if you have the repo still locally, run:
git pull ./install.sh
This will pull any changes from the git repo and apply them to your install.
Writeups of the tool and its features: