Some maldet command examples

LINUX MALWARE DETECT

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Maldet command syntax:

maldet [options] [/path/to/scan]

Some main options:
1, -b, –background
Execute operations in the background, ideal for large scans
Example:

maldet -b -r /home/tutorialspots.com/

2, -u, –update
Update malware detection signatures from rfxn.com

[root@tutorialspots ~]# maldet -u
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(22541): {sigup} performing signature update check...
maldet(22541): {sigup} local signature set is version 2019121915724
maldet(22541): {sigup} new signature set 201912227604 available
maldet(22541): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(22541): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(22541): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(22541): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(22541): {sigup} verified md5sum of maldet-clean.tgz
maldet(22541): {sigup} unpacked and installed maldet-clean.tgz
maldet(22541): {sigup} signature set update completed
maldet(22541): {sigup} 15572 signatures (12752 MD5 | 2035 HEX | 785 YARA | 0 USER)

3, -d, –update-ver
Update the installed version from rfxn.com

[root@tutorialspots ~]# maldet -d
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(22396): {update} checking for available updates...
maldet(22396): {update} hashing install files and checking against server...
maldet(22396): {update} latest version already installed.

4, -m, –monitor USERS|PATHS|FILE|RELOAD
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/mike,/home/ashton

5, -k, –kill
Terminate inotify monitoring service

6, -r, –scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2

7, -a, –scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html

8, -c, –checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures

9, -l, –log
View maldet log file events.

[root@downappz ~]# maldet -l
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

Viewing last 50 lines from /usr/local/maldetect/logs/event_log:
Dec 21 03:50:00 tutorialspots maldet(24780): {sigup} downloaded https://cdn.rfxn.com/downloads/maldet.sigs.ver
Dec 21 03:50:00 tutorialspots maldet(24780): {sigup} latest signature set already installed
Dec 21 03:50:00 tutorialspots maldet(24897): {scan} launching scan of /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Dec 21 03:50:01 tutorialspots maldet(24897): {scan} signatures loaded: 15571 (12751 MD5 | 2035 HEX | 785 YARA | 0 USER)
Dec 21 03:50:01 tutorialspots maldet(24897): {scan} building file list for  of new/modified files from last 1 days, this might take awhile...
Dec 21 03:50:01 tutorialspots maldet(24897): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
...

10, -e, –report SCANID email
View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address.

e.g: maldet –report

Other optio:

e.g: maldet –report list

Another example:

e.g: maldet –report 050910-1534.21135

e.g: maldet –report SCANID user@domain.com

11, -s, –restore FILE|SCANID
Restore file from quarantine queue to orginal path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135

12, -q, –quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135

13, -n, –clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135

14, -U, –user USER
Set execution under specified user, ideal for restoring from user quarantine or to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135

15, -p, –purge
Clear logs, quarantine queue, session and temporary data.

Full maldet command options:

[root@tutorialspots ~]# maldet -h
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 201912227604
usage /usr/local/sbin/maldet [ OPTION ]
    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update-sigs [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -f, --file-list
       Scan files or paths defined in line spaced file
       e.g: maldet -f /root/scan_file_list

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -i, --include-regex REGEX
       Include paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To include only paths named wp-content and files ending in .php:
       --include-regex ".*/wp-content/.*|.*.php$"

    -x, --exclude-regex REGEX
       Exclude paths/files from file list based on supplied posix-egrep regular
       expression.
       e.g: To exclude paths containing 'wp-content/w3tc/' and core files:
       --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"

    -m, --monitor USERS|PATHS|FILE|RELOAD
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill-monitor
       Terminate inotify monitoring service

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optional
ly
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID user@domain.com

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items f
rom
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarant
ine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option email_addr=you@domain.com,quarantine_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

    --web-proxy IP:PORT
       Enable use of HTTP/HTTPS proxy for all remote URL calls.

Free Online Tutorials

Some maldet command examples

phptuts

Leave a Reply Cancel reply

Some maldet command examples

phptuts

Related Posts

CentOS: pandoc error: Missing character: There is no in font

CentOS: pandoc error: The font “latinmodern-math.otf” cannot be found.

CentOS: LaTeX Error: File `xeCJK.sty’ not found

CentOS: pandoc error: I can’t find file `pzdr’

CentOS: fix error: LaTeX Error: File `iftex.sty’ not found.

Leave a Reply Cancel reply