We help IT Professionals succeed at work.

AntiVirus / Malware Recommendations for Amazon Linux

Tessando
Tessando asked
on
I have a Wordpress site running on a LAMP stack running in AWS EC2 that got compromised today. The hacker encrypted the small MySQL database with a Bitcoin address instead of the expected tables.

I would like to install some AntiVirus and Malware software as a future deterrent. It wouldn’t have done me a lot of good in this case, but I realized that the folks before me didn’t set this up.

1/ Do you have any recommendations for software that plays nicely with Amazon Linux (basically RedHat)?

2/ Do you have a favorite set of “go-to” installation and configuration instructions that you could share? I need something fairly simple to setup & automate updating heuristics and protecting the system.

Thanks for your help!
Comment
Watch Question

Principal Software Engineer
Commented:
<opinion>
Even with a virus scanner watching the system, it can only detect stuff already known to exist.  Day Zero infections will still get you; there's no defense against those.

So I/M/O the prudent course is to accept that eventually a disaster will occur no matter what you do, and instead of fighting that -- plan for how to deal with it.  Do daily full backups on offline media; keep them for at least 30 days.  Offline media, because then an infection can't touch the backups.

Side note:  Wordpress makes you an attractive target and there's not much that can be done about that other than a) keeping things up to date, b) banning all APNIC IP blocks, and c) using security modules for Apache such as mod_spamhaus, mod_nsf and mod_security.
</opinion>
David FavorFractional CTO
Distinguished Expert 2019

Commented:
1) I have a Wordpress site running on a LAMP stack running in AWS EC2 that got compromised today. The hacker encrypted the small MySQL database with a Bitcoin address instead of the expected tables.

Happens for many reasons. Most common reasons - Running old software (Kernel/PHP/WordPress). Running any clear text login on system, like FTP not SFTP or HTTP not HTTPS. Using easily cracked passwords. Using common user/pass across many sites, where another site is hacked then the info is use to hack your site.

You must close all these holes first or hacks will reoccur.

2) I would like to install some AntiVirus and Malware software as a future deterrent. It wouldn’t have done me a lot of good in this case, but I realized that the folks before me didn’t set this up.

Won't help. As Dr. Klahn mentions, these only show a site has been hacked after the hack has occurred + potentially destroyed your system.

3) Do you have any recommendations for software that plays nicely with Amazon Linux (basically RedHat)?

See #2.

4) Do you have a favorite set of “go-to” installation and configuration instructions that you could share? I need something fairly simple to setup & automate updating heuristics and protecting the system.

Yes.

Recently there are some very ugly hacks going around. Here's what I've started doing for projects.

cd /path-to-wordpress-install

chown -R root:root .

chown -R www-data:www-data wp-content/uploads
chown -R www-data:www-data wp-content/cache

Open in new window


This locks files to only allow Apache to write upload files + cache files.

5) The only way back from any harsh hack is to restore a clean backup.

No one can ever be smarter than 1,000,000s of hackers attacking sites continuously.

You just have to be prepared to restore a backup when required.

This means you must store backups on an external machine, lest your backups be encrypted in a ransomware attack.