How do I Boot into Rescue Mode and run a malware scan on my Linode?

Investigating suspicious activity on a Linode can take multiple steps and some serious time. Below I have provided a step by step on how to complete a scan of your system using ClamAV.

Scanning your system with ClamAV is a great start to investigating suspicious activity as it uses a large database that is constantly updated to check against and it is automated once started. However, there are times where it will not be able to locate some malware and compromises. That said, more manual investigation will be necessary.

1. Power Down your Linode
2. Boot Into Rescue Mode, choose "Your Disk Name" for /dev/sda, and "Swap Disk Name" for /dev/sdb.
   • If network restrictions have been applied to your Linode due to an abuse ticket you will need to reply in that support ticket that you have completed booting into Rescue Mode so the restrictions can be removed before proceeding.
3. Launch Console clicking the Launch Console button across from your Linodes name when selected on that Linode.
4. Mount your Disk using the following command:
   • mount -o exec,barrier=0 /dev/sda
5. Change Root with the following commands:
   • cd /media/sda
   • mount -t proc proc proc/
   • mount -t sysfs sys sys/
   • mount -o bind /dev dev/
   • mount -t devpts pts dev/pts/
   • chroot /media/sda /bin/bash
   • exit
6. Install ClamAV using the commands below:
   • gpg --keyserver keys.gnupg.net --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
   • gpg -a --export B7D453EC | apt-key add -
   • gpg -a --export 22F3D138 | apt-key add -
   • apt update
   • apt install clamav
   • freshclam
   • mount -o barrier=0 /dev/sda
7. Scan Your System following these commands:
   • mkdir -p /media/sda/clamav/log/
   • mkdir -p /media/sda/clamav/quarantine/
   • clamscan -r --log=/media/sda/clamav/log/scan.log --move=/media/sda/clamav/quarantine /media/sda
8. Once the scan is complete, you can review the logs here /media/sda/clamav/log/scan.log and any malware found will be quarantined here /media/sda/clamav/quarantine/.

*If the scan is randomly killed in the middle of scanning your files you have 2 options that you can turn to in order to successfully complete a scan.

1. Create a swapfile

• To create a swapfile input the commands below in order:

  • sudo dd if=/dev/zero of=/swapfile bs=1024 count=1048576
  • sudo chmod 600 /swapfile
  • sudo mkswap /swapfile
  • sudo swapon /swapfile

• Verify that the swapfile is mounted:

  • sudo swapon --show

Once you are done in Rescue mode this swap file can simply be deleted like any other file. It will not result any negative affects.

2. Resizing your Linode to a larger plan which will increase the amount of resources you have so the scan will complete. This route would be ideal if you planned on resizing your Linode or could benefit from a resize. You can always resize down at a later time too.

Upon completion you will see the Scan Summary.(Actual Example Below).

----------- SCAN SUMMARY -----------
Known viruses: 6501230
Engine version: 0.101.4
Scanned directories: 25074
Scanned files: 70811
Infected files: 0
Total errors: 16363
Data scanned: 2110.13 MB
Data read: 1961.69 MB (ratio 1.08:1)

You can further investigate any malware that was quarantined during the scan or simply remove it from your system.

You can find additional resources for investigation and security suggestions here.

i placed my linode in rescue mode. but i am unable to mount it .
root@finnix:~# mount -o exec,barrier=0 /dev/sda
mount: /dev/sda: can't find in /etc/fstab.

it worked with the help of support team.. thanks

Since we published this post, we've made it easier for customers to run a ClamAV scan of their Linode. We've included a script in our Finnix image that automates the mounting of disks, installing and updating ClamAV, and then running the scan. To utilize this script, all you need to do is boot into Rescue Mode and then issue the command linode_clam.

If you want to learn more about this, check out our documentation:
Automated ClamAV System Scanning