So as of late, I’ve felt a little let down by my traditional malware scanners for my compromised web server investigations. I’ve used clamAV, Maldet, and an internal tool. But as with any AV product you’re tool is only as good as your signatures. And for that I feel lacking, and often have to run 3 different scans that each reveal different malware.
So I began to write my own AV rules based on yara, the sigtool utility for clamAV and the integrated support that clamscan 98+ has for using both of these rule sets in a custom malware database. As I began to share these rules with other administrators and investigators, I found it to be a little unwieldy. I would need to instruct them to download the rules, clamav, type out a custom string to run the scan like the following:
clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/
And then in all likelihood they would also need to run more scans in addition. Well no more, or at least less likely.
Want an easy way to run a scan on your server that integrate signatures from multiple places, and provides a bunch of nice features?
Check this out: https://github.com/Hestat/blazescan
The tool is designed to integrate with cpanel servers, but can be used in any linux environment with the -d flag.
Blazescan is a malware scanning tool that uses clamav and custom malware databases If you run blazescan without any arguments it will present a simple scanning menu -a will scan all cpanel accounts -u will scan the specified cpanel user -l will show the results of the last scan -t will display ctime of the hits in the last scan -d scan a directory of your choosing -h will display the help menu By default the scanner will use the rules at https://github.com/Hestat/lw-yara It will also use the maldet rules if installed http://www.rfxn.com/projects/linux-malware-detect/
To install simply:
git clone https://github.com/Hestat/blazescan.git cd blazescan ./install.sh
Then you can invoke with just using blazescan if you are on a cpanel server and it will populate a menu.
Not on a cpanel box, use the -d flag to specify the directory you would like to scan.
Have questions or feedback, find me on twitter @laskow26.