Cleaning a virus off a Samba Share.

One of the problems of running a Samba share on Linux is that occasionally one of the Windows machines accessing it will get a virus, and infect all the files on the share. You can use one of the AV tools to do this of course, (Clam AV, AVG and Kaspersky all have them these days) but they’re pretty slow generally.

I noticed at one client that the virus was putting exe files into directories, with the same name as the containing directory eg.it would create the file /share/Software/Software.exe.

So the first thing to do is to see who is creating them. Here we go …

cd share
ls -al Software 
-rw------   1 tom tom     150304 2011-07-13 14:03 Software.exe

OK, so Tom clearly needs a talking to, and his machine needs to be cleared.

Next thing to do is to find out what the virus is. I uploaded a copy to virustotal.com and found out what it was. This will help me to find a tool to clean the machine – the dedicated removal tools are often quicker than the full virus scans.

Now to clean up the server … After looking at a few of these, and realising that there were thousands on the file, I realised that they were all the same size: 150304 bytes long. OK, so we can find all the files in the recursed subdirectories like this.

find share/ -name '*.exe' -size 150304c

And then when we’re satisfied that the results only contain infected files, we can remove them with this:

find share/ -name '*.exe' -size 150304c -exec rm {} \;

Done deal …

Leave a Comment