How to scan if Ubuntu is infected? server attack

Solution 1:

You could start with the following:

  1. clamav

  2. aide - it's not a malware scanner but an integrity tool, meaning you can check what files were changed since say yesterday.

  3. check open ports:

    sudo netstat -lpntu | less
    

If you have some wide open one, restrict them by IP for instance.

  1. also check the running services to make sure you don't have anything suspicious:

    pstree | less
    
    ps axu | less
    
  2. check cron tasks

Solution 2:

Use ClamAV from Ubuntu see the instructions here. https://help.ubuntu.com/community/ClamAV

It is very strange to have any kind of malware on Ubuntu, but if any known viruses have been installed that should find it. However, I suspect that you do not use a static IP address and that the dynamically assigned IP address has been blocked prior to it being assigned to you. You should check and log your WAN IP address whenever you have the issue and when you don't for comparison.

Solution 3:

Advice above looks good also.
Adding this >> How to determine if mysterious programs in nethogs listing are malware ? Are mysterious programs in nethogs listing malware ?

Confirm nethogs info using netstat to NAME the calling Program

# netstat -tapec

Active Internet connections (servers and established)

Proto, Recv-Q, Send-Q, Local Address, Foreign Address, State, User Inode, PID/Program name

root@-:~ tcp 0 0 192.168.0.55:46092 stackoverflow.com:https ESTABLISHED 2360457 3618/firefox

tcp 0 0 192.168.0.55:60884 ec2-35-160-7-16.u:https ESTABLISHED 35667 3618/firefox