How to install Linux Malware Detect – Maldet on CentOS 7


LINUX MALWARE DETECT

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Home page:
https://www.rfxn.com/projects/linux-malware-detect/

Installation:

Step 1:

cd /root

Step 2:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Result:

[root@tutorialspots ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2019-08-04 08:26:22--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com (www.rfxn.com)... 2606:4700:30::681f:5d85, 2606:4700:30::681f:5c85, 104.31.92.133, ...
Connecting to www.rfxn.com (www.rfxn.com)|2606:4700:30::681f:5d85|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1549126 (1.5M) [application/x-gzip]
Saving to: ‘maldetect-current.tar.gz’

100%[======================================>] 1,549,126   --.-K/s   in 0.04s

2019-08-04 08:26:22 (41.7 MB/s) - ‘maldetect-current.tar.gz’ saved [1549126/1549126]

Step 3:

cd maldetect-*

Step 4:

sh install.sh

Result:

[root@tutorialspots maldetect-1.6.4]# sh install.sh
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(20188): {sigup} performing signature update check...
maldet(20188): {sigup} local signature set is version 201907043616
maldet(20188): {sigup} new signature set 2019080428438 available
maldet(20188): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(20188): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(20188): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(20188): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(20188): {sigup} verified md5sum of maldet-clean.tgz
maldet(20188): {sigup} unpacked and installed maldet-clean.tgz
maldet(20188): {sigup} signature set update completed
maldet(20188): {sigup} 15549 signatures (12737 MD5 | 2035 HEX | 777 YARA | 0 USER)

Update:

maldet -u

Result:

[root@tutorialspots maldetect-1.6.4]# maldet -u
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(20681): {sigup} performing signature update check...
maldet(20681): {sigup} local signature set is version 2019080428438
maldet(20681): {sigup} latest signature set already installed

Configuration:
Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet

Manual Scan:

To scan a directory, we use command:

maldet -a PATH

Example:

maldet -a /home/?/public_html

Set CronJob for Auto Scanning
In the installation process, a cron job file is installed in /etc/cron.daily/maldet.

#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"

if [ -f "$intcnf" ]; then
        source $intcnf
else
        echo "\$intcnf not found."
        exit 1
fi
if [ -f "$cnf" ]; then
        source $cnf
        if [ -f "$compatcnf" ]; then
                source $compatcnf
        fi
else
        echo "could not find \$cnf, fatal error, bye."
        exit 1
fi

if [ -f "/etc/sysconfig/maldet" ]; then
        . /etc/sysconfig/maldet
elif [ -f "/etc/default/maldet" ]; then
        . /etc/default/maldet
fi

if [ -f "$cron_custom_conf" ]; then
        . $cron_custom_conf
fi

if [ -z "$scan_days" ]; then
        scan_days=1
fi

if [ -z "$cron_prune_days" ]; then
        cron_prune_days=21
fi

if [ "$find" ]; then
        # prune any quarantine/session/tmp data older than 7 days
        tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub"
        for dir in $tmpdirs; do
         if [ -d "$dir" ]; then
          $find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
         fi
        done
fi

if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
        # sleep for random 1-999s interval to better distribute upstream load
        sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi

if [ "$autoupdate_version" == "1" ]; then
        # check for new release version
        $inspath/maldet -d >> /dev/null 2>&1
fi

if [ "$autoupdate_signatures" == "1" ]; then
        # check for new definition set
        $inspath/maldet -u >> /dev/null 2>&1
fi

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
        $inspath/maldet --monitor-report >> /dev/null 2>&1
elif [ "$cron_daily_scan" == "1" ]; then
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then
                # ISPmanager
                $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/vesta" ]; then
                # VestaCP
                $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/share/dtc" ]; then
                # DTC
                if [ -f /var/lib/dtc/saved_install_config ]; then
                    . /var/lib/dtc/saved_install_config
                fi
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
        fi
fi

if [ -f "$cron_custom_exec" ]; then
        . $cron_custom_exec
fi

This file is used to perform daily updates so that the database is not older than 14 days and runs a daily scan schedule of the newly changed file system.

To active the email alerts once a malware is detected, open the Maldet configuration file that is found in /usr/local/maldetect/conf.maldet and type the following:

email_alert=1
email_subj="Maldet alert from $(hostname)"
email_addr="email@domain.com"

Leave a Reply