Opterius includes a malware scanner built into the Go agent binary. Patterns are compiled into the binary at build time, which means they cannot be tampered with or disabled by a compromised hosting account. The scanner inspects PHP and other script files for known malicious patterns and webshell signatures.
What the scanner detects
| Category | Patterns |
|---|---|
| Obfuscated execution | eval(base64_decode( — classic obfuscation technique used by most PHP malware |
| Dangerous functions in unexpected locations | shell_exec, passthru, system — flagged when found outside legitimate plugin or framework contexts |
| Known webshell signatures | c99shell, r57shell, WSO webshell — matched by both filename and content signature |
| Remote code inclusion | preg_replace with /e modifier, assert() with user input |
Severity levels: Critical (active webshell or obfuscated exec), High (dangerous function in suspicious context), Medium (pattern that warrants review), Low (potentially unsafe but common in legitimate code).
Running a scan
Server Mode → Security → Malware Scan.
Two scan modes are available:
- Scan a specific account — targets one account's home directory. Faster, use when you suspect a specific site.
- Scan all accounts — walks every account's home directory. Use for routine scheduled checks or after a server incident.
Click Start Scan. The scan runs via the agent and reports results in real time as files are processed.
Reviewing scan results
Results are listed as a table with:
| Column | Description |
|---|---|
| File path | Absolute path to the suspicious file |
| Match | The specific pattern that triggered the detection |
| Severity | Critical / High / Medium / Low |
| Account | Which hosting account owns the file |
| Last modified | When the file was last changed |
Files modified recently during an otherwise quiet period are more likely to be injected malware than existing application code.
Taking action on flagged files
For each result you can:
Quarantine
Moves the file to a .quarantine/ directory within the account's home:
/home/alice/domain.com/public_html/wp-content/uploads/shell.php
→ /home/alice/.quarantine/2026-04-08/shell.php
The file is preserved for forensic review but is no longer served by the web server. Use this when you are not certain whether the file is legitimate.
Delete
Permanently removes the file. Use when you are confident the file is malicious (e.g. a clear webshell with no legitimate purpose).
[!WARNING] Review flagged files before deleting. The scanner may flag legitimate plugin or framework code that uses
shell_execor similar functions in appropriate contexts. When in doubt, quarantine rather than delete.
Triggering a scan via the agent API
The panel calls the agent endpoint directly. For scripted or automated scanning:
curl -X POST http://localhost:8444/security/scan \
-H "Authorization: Bearer $AGENT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"username": "alice"}'
Omit username to scan all accounts.
Scheduling regular scans
Malware is often injected quietly and sits dormant. Run scans on a schedule — weekly at minimum, daily if any account hosts high-traffic WordPress sites. You can automate scans using a server cron job:
# /etc/cron.d/opterius-malware-scan
0 3 * * 0 root curl -s -X POST http://localhost:8444/security/scan \
-H "Authorization: Bearer $(cat /opt/opterius-agent/token)" \
-d '{}' >> /var/log/opterius-scan.log 2>&1
See Security Best Practices for a full hardening checklist.