1. Motives for Placing Malware on a Web Server
2. Different Types of Malware for Web Servers
3. Detecting Malware and Malicious Software on a Web Server
4. Removing Malware and Preventing Further Malware on a Web Server

Malware targeting a web server differs in several aspects from typical malware like viruses, malware, or trojans that target personal or commercially used desktop PCs and laptops. This is partly due to the fact that web servers predominantly use Linux as their operating system, and also because commercial web servers are typically protected by elaborate security measures. Removing malware or malicious software without causing at least a temporary server outage is always a challenging and often impossible task.

Motives for Placing Malware on a Web Server

A web server consists of publicly accessible webspace, partially protected areas such as special pages for customers, users, or participants, local software inaccessible from the outside, and information such as databases. The method of malware or malicious software determines the operating system the web server uses. Regardless, attackers always pursue the same goals, which can be broadly categorised into several different categories:

• Resource Usage: The web server is intended to be used for illegal purposes - such as storing pirated copies on the web space, for file sharing, distributing malware, or similar activities. The necessary malware for this purpose is discreetly installed in the background.
• Data Theft: Confidential data is remotely copied, intercepted when entered by visitors or administrators, or stolen in the form of databases. Additionally, malware can be installed here and in many cases can be expanded modularly.
• Website Alteration/Defacing: Defacing involves infiltrating an official web space of organisations or authorities and replacing its content with one's own. The motive behind these attacks usually does not involve direct financial gain or the placement and distribution of malware.
• Infiltration of Internal Confidential LAN Networks: In this scenario, the web server serves as a bridge for criminals between the internet and a connected CDN server or the intranet of a company or authority. Since internal servers are often isolated by strict security measures, intrusion is only possible from a confidential node with external access - for example, a web server with malware.
• Installation of Foreign Services: The web server serves as a free server for a third party to operate their own services - usually those with high data usage like video streaming or file sharing, or high computational requirements like cryptocurrency mining - through malware and malicious software.
• Espionage and Extortion: For many companies, it can pose an existential financial risk if the web server experiences prolonged or repeated outages due to malware or malicious software. In addition to extorting companies, since 2015, data encryption and ransom for data recovery have increased significantly.
• Information Gathering: Criminal programmers can analyse security measures, plan targeted attacks, design specific malware and malicious software, or install authentic copies of a page for fraud through phishing on their own web server with a backup of a web space. Therefore, the backup of a popular homepage is traded on the black market and through anonymous forums for sometimes high prices.

The attacks on a web server or web space and the installation of malware are rarely targeted. Instead, the vast majority are based on widespread scanning of the internet and searching for vulnerabilities in security measures through which malware can be discreetly installed on the server. The victims of such cybercrime are therefore random, practically threatening every web space owner. An easy countermeasure is outsourcing administration and external server monitoring, for example through a Managed VPS hosting. This way, especially small and medium-sized businesses save the often high costs of employing their own IT specialists or external support and consulting.

Various Types of Malware for Web Servers

The ability to remove malware depends on its type. Depending on its approach and purpose, malware embeds itself in the programs of a web server or the operating system and often cannot be fully traced without significant effort. To secure access to the server, malware often spreads across multiple instances and provides the attacker with different backdoors for access. The malware can consist of complex and self-disguising programs, altered services, or simple scripts. Some commonly used methods include:

• Specialized malware and viruses, trojans, or ransomware
• Remote desktop control programs like VNC
• Remote administration tools (RAT)
• Additional logins with enhanced rights within the web server operating system
• Scripts for automatic connection establishment or port opening
• Altered utilities with universal, global file access

In a complex attack, perpetrators usually use a combination of malware and altered rights on the web server, making the operating system vulnerable through certain inconspicuous and standard utilities. For example, it is possible to grant global access rights to a text editor and then manually change all configurations on a server through it. In this case, the malware consists only of a small change in access rights; access can be gained through a single account with seemingly few permissions or even a free visitor access. To remove this malware, setting the correct permissions or reinstalling the software package is sufficient.

So-called Remote Administration Tools (RATs) are actually used for central control and enable the convenient setup of numerous servers through a single interface. They are a useful tool for administrators, but can easily be abused as malware. The positive aspect is that this malicious software can be removed by uninstalling or deleting the corresponding program. For this reason, RATs often appear in combination with "real" malware.

"Real" malware consists of a program that deliberately hides from detection by antivirus software, conceals its existence, and performs unwanted operations on the server or in the CDN. It typically communicates through a hardcoded URL, anonymously registered, where a web server waits for requests and sends commands to the malware in response. This malware is often modular in structure and loads additional functions depending on the environment after infecting the web server. Additionally, built-in routines prevent the malware from being removed without damaging the server's operating system. The consequence is often residual malware or a server outage.

Detecting Malware and Malicious Software on a Web Server

Before malware can be removed, its existence must be definitively proven. There are different approaches to diagnosing malware or a successful attack on a server. These approaches vary in precision and monitoring methods. For example, external monitoring can be achieved through server monitoring, which includes not only the accessibility and performance, but also the availability of services and the ports they use. Particularly, "real" malware often communicates through randomly assigned five-digit port numbers, almost exclusively used for individual purposes. An alternative to server monitoring is regularly conducted port scans, covering the range between Port 1025 to Port 65535. Internal methods for detecting malware on a server include:

• Thorough analysis and evaluation of log files for unusual activities
• Monitoring of running processes on a server for suspicious programs
• Control of registered users and their assigned access rights
• Comprehensive server monitoring of bandwidth, data volumes, and established connections
• Regular checking of the file system for file changes
• Regular virus scanning of the web server and operating system
• Precise determination of causes in case of temporary server outage
• Checking the web space for configuration or file manipulation

Many of these tasks can be automated and taken over by internal and external server monitoring, which only alerts the administrator in case of suspicion. Some indications of malware installation on a server can be indirectly deduced from these logs. Typical signs include a brief server outage due to an unexpected restart, direct alteration of logs including missing entries over a longer period, or the establishment of connections from dubious sources.

Removing Malware and Eliminating Further Threats

Removing a single malware from a server usually can be done without causing a server outage. However, the challenge lies in the difficulty of ruling out the existence of further malware. When an attacker gains initial access to a server or web space, they typically install additional backdoors to maintain control in case the initial vulnerability is closed. Therefore, a thorough forensic investigation and analysis of the web server and operating system are essential. The effort required for such an examination often exceeds that of a complete reinstallation, which may lead to a server outage.

A common approach is therefore to temporarily switch services to another clean server, such as a cost-effective managed VPS hosting, while the web server is being rebuilt. This method ensures that the server outage is not publicly noticeable, allowing uninterrupted operation to continue.

Photo: TheDigitalArtist pixabay.com