HostOnNet Blog

Installing Linux Malware Detect (maldet)

Linux Malware Detect (LDM) is a tool used to scan for malware.

You can download Linux Malware Detect from

https://www.rfxn.com/projects/linux-malware-detect/

Installing LDM

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar zxvf maldetect-current.tar.gz
cd maldetect-*
./install.sh

LDM will be installed on folder /usr/local/maldetect/.

You can run it with command maldet.

Configure LDM

Edit conf.maldet

vi /usr/local/maldetect/conf.maldet

You need to modify following settings

email_alert=1
email_addr="you@domain.com"
email_ignore_clean=1
quarantine_suspend_user="0"

If you set “quarantine_suspend_user” to 1, site get auto suspend if a malware is detected. This is useful, enable it if your server is malware free.

ClamAV

If ClamAV antivirus installed on your server, maldet will also use it for scanning. You can install ClamAV through WHM > Plugins.

Automated Scanning

By default maldet will scan for malware daily. It is run by cronjob

/etc/cron.daily/maldet

Scanning A Web Site

To scan a web site for malware, run

maldet -a /home/USERNAME/public_html

LDM Help

root@server74 [~]# maldet –help
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks (C) 2013, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 2015071920693
usage /usr/local/sbin/maldet [ OPTION ]
-b, –background
Execute operations in the background, ideal for large scans
e.g: maldet -b -r /home/?/public_html 7

-u, –update
Update malware detection signatures from rfxn.com

-d, –update-ver
Update the installed version from rfxn.com

-m, –monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/mike,/home/ashton

-k, –kill
Terminate inotify monitoring service

-r, –scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2

-a, –scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html

-c, –checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures

-l, –log
View maldet log file events

-e, –report SCANID email
View scan report of most recent scan or of a specific SCANID and optionally
e-mail the report to a supplied e-mail address
e.g: maldet –report
e.g: maldet –report list
e.g: maldet –report 050910-1534.21135
e.g: maldet –report SCANID user@domain.com

-s, –restore FILE|SCANID
Restore file from quarantine queue to orginal path or restore all items from
a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135

-q, –quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135

-n, –clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135

-U, –user USER
Set execution under specified user, ideal for restoring from user quarantine or
to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135

-co, –config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
Set or redefine the value of conf.maldet config options
e.g: maldet –config-option email_addr=you@domain.com,quar_hits=1

-p, –purge
Clear logs, quarantine queue, session and temporary data.
root@server74 [~]#


Posted in Cpanel Server