If you suspect your server has been compromised, you can scan the system from within the rescue system. This has the advantage that potential malware is not active during the scan.
-
Enable the rescue system
As explained in this getting started:
- Select the server
- Navigate to "Rescue" and click on "Enable rescue & power cycle"
- After the reboot, connect to the server as root user.
-
Create a chroot environment
Run
lsblkand identify the name of the root partition (e.g.sda1).Mount the root partition into
/mntand create the chroot environment:Replace
sda1with the name of your root partition.mount /dev/sda1 /mnt chroot-prepare /mnt chroot /mntYou can now navigate through the file structure of your server's primary disc.
-
Scan the system
- Install and run a malware scanner. For example, ClamAV:
The
apt update apt install clamav -y freshclam clamscan -r -i / --exclude-dir="^/sys" --exclude-dir="^/proc"-rflag scans recursively,-ionly prints infected files.
- Use
rkhunterto check for rootkits:apt install rkhunter -y rkhunter --update rkhunter --check --skip-keypress
Review the scan results carefully. If malware is found, we strongly recommend reinstalling the server from scratch rather than only removing the detected files, as compromised systems may contain additional backdoors.
- Install and run a malware scanner. For example, ClamAV:
-
Restart the server
Run
exitto leave the chroot environment and restart your server to leave the rescue system:exit reboot
After reboot, you should be able to log in the normal system again.