How To Scan Your Web Servers For Malware With ISPProtect On CentOS/RHEL 6/7

With the advancement of digitization in the world along with India, every day lots of websites are coming up and these apps, websites data are hosted on web servers and therefore security is a big concern. In today’s scenario, most the websites are the result of CMS system like WordPress, Joomla, Drupal, Magento etc.

Now every day there are lots servers attacked with malware. These attackers exploit system flaws and infect the system with malware and because of such activities,  it is recommended to do sanity checks on regular basis.

ISPProtect scans for malware in website files and CMS systems like WordPress, Joomla, Drupal etc and by the end of this article, we will get aware of setting up ISPProtect


  1. My Server IP is 168.1.188
  2. OS – CentOS/RHEL 6/7
  3. PHP 5.4 preinstalled

Note: If you are a SUDO user then prefix every command with sudo, like #sudo ifconfig

ISPProtect Searching Area

  1. Signature-based malware scanner.
  2. Heuristic malware scanner.
  3. Scan outdated CMS systems installation dir
  4. Scan Outdated WordPress plugins of the whole server.
  5. Scan MySQL databases for malicious content.

Note: ISPProtect requires PHP  and it’s not free software but its free trial can be used to clean an infected system.

Step 1: Install ISPProtect

As mentioned earlier ISPProtect requires PHP and if PHP is not installed you can learn to install PHP. Now yu can install ISPProtect  using following command

# cd /tmp
# wget
# tar -xvzf ispp_scan.tar.gz
# rm -f ispp_scan.tar.gz
# mkdir /usr/local/malwarescan
# mv ispp_scan /usr/local/malwarescan
# chown -R root:root /usr/local/ispp_scan 
# chmod -R 750 /usr/local/ispp_scan 
# cd /usr/local/malwarescan 
# ln -s /usr/local/malwarescan/ispp_scan /usr/local/bin/ispp_scan

Step 2: Start Scan

Now we have successfully installed ISPProtect and made a soft link in /usr/local/bin for using it as a command in the whole system.  to start scan run following command and follow the procedure


First, the scanner will check for updates and prompt you for the key (you just need to enter the word “trial” ) soon after it will ask for your websites location i.e. /var/www/html in most of the cases. but you should enter your location.

Please enter scan key: <-- trial
Please enter path to scan: <-- /var/www/html

Now it will start the scan and will start showing you infected file at the end of the scan and these results get stored in log file present in the ISPProtect installation directory.

Malware => /usr/local/malwarescan/found_malware_20170616562429.txt
Wordpress => /usr/local/malwarescan/software_wordpress_20170616562429.txt.txt
Joomla => /usr/local/malwarescan/software_joomla_20170616562429.txt.txt
Drupal => /usr/local/malwarescan/software_drupal_20170616562429.txt.txt
Mediawiki => /usr/local/malwarescan/software_mediawiki_20170616562429.txt.txt
Contao => /usr/local/malwarescan/software_contao_20170616562429.txt.txt
Magentocommerce => /usr/local/malwarescan/software_magentocommerce_20170616562429.txt.txt
Starting scan level 1 ...

Step 3: Check Output and Set CRON

After the successful finish of scan you will see a list of several files and now you can figure out these infected files. To take a regular check you may set a Cron to do a malware check automatically for you. Do this follow these steps.

#crontab -e
15 00 * * * /usr/local/malwarescan/ispp_scan --update && /usr/local/malwarescan/ispp_scan --path=/var/www/html --email-results=youemail@domain-name --non-interactive --scan-key=trial

now save CRON with :wq!

Note: Do not forget to change your email id to get a detailed report.

Some Useful Information

1. Exclude files and logs from scan

#ispp_scan --exclude and --exclude-from arguments, e. g. to exclude all PNG files, type --exclude=”*.png” (case-sensitive)
#ispp_scan --exclude=”**/log/*.log”

2. Local whitelisting

You can add a file to the white list

#ispp_scan --whitelist=/path/of/file.php

By default, the white list is stored in ~/.ispp_scan.whitelist .You can change this path by adding the whitelist-path argument:

#ispp_scan --whitelist-path=/home/user/.ispprotect.wl --whitelist=/path/to/your/file.php

3. Ignoring malware types

#ispp_scan --ignore={ISPP}suspect.eval.base64

This would ignore all malware named {ISPP}suspect.eval.base64 (not recommended, of course)

Watch Video:

Coming Soon

You Must Read:

  1. Which one Is Better Apache Or Nginx?
  2. How To Install WordPress 4.7 With Nginx ON RHEL/CentOS 6/7 & Fedora
  3. How To Install Nagios 4.X Server/Client – Part 1
  4. How To Install PHP 5.6 Using YUM ON CentOS/RHEL 6/7?