Blazescan — Linux Malware Scanning Utility

Update: Much deeper dive and new features

Webserver Malware Investigations – Blazescan Tutorial

So as of late, I’ve felt a little let down by my traditional malware scanners for my compromised web server investigations. I’ve used clamAV, Maldet, and an internal tool. But as with any AV product you’re tool is only as good as your signatures. And for that I feel lacking, and often have to run 3 different scans that each reveal different malware.

So I began to write my own  AV rules based on yara, the sigtool utility for clamAV and the integrated support that clamscan 98+ has for using both of these rule sets in a custom malware database. As I began to share these rules with other administrators and investigators, I found it to be a little unwieldy. I would need to instruct them to download the rules, clamav, type out a custom string to run the scan like the following:

clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/

And then in all likelihood they would also need to run more scans in addition. Well no more, or at least less likely.

Want an easy way to run a scan on your server that integrate signatures from multiple places, and provides a bunch of nice features?

Check this out: https://github.com/Hestat/blazescan

The tool is designed to integrate with cpanel servers, but can be used in any linux environment with the -d flag.

Blazescan is a malware scanning tool that uses clamav and custom malware databases

If you run blazescan without any arguments it will present a simple scanning menu

-a will scan all cpanel accounts

-u will scan the specified cpanel user

-l will show the results of the last scan

-t will display ctime of the hits in the last scan

-d scan a directory of your choosing

-h will display the help menu
By default the scanner will use the rules at https://github.com/Hestat/lw-yara

It will also use the maldet rules if installed http://www.rfxn.com/projects/linux-malware-detect/

To install simply:

git clone https://github.com/Hestat/blazescan.git
cd blazescan
./install.sh

Then you can invoke with just using blazescan if you are on a cpanel server and it will populate a menu.

Not on a cpanel box, use the -d flag to specify the directory you would like to scan.

Dependencies: Need to have ClamAV 98+ install, also if you have maldet installed will integrate signatures

Have questions or feedback, find me on twitter @laskow26.