LINUX MALWARE DETECT
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.
Home page:
https://www.rfxn.com/projects/linux-malware-detect/
Installation:
Step 1:
cd /root
Step 2:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Result:
[root@tutorialspots ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz --2019-08-04 08:26:22-- http://www.rfxn.com/downloads/maldetect-current.tar.gz Resolving www.rfxn.com (www.rfxn.com)... 2606:4700:30::681f:5d85, 2606:4700:30::681f:5c85, 104.31.92.133, ... Connecting to www.rfxn.com (www.rfxn.com)|2606:4700:30::681f:5d85|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1549126 (1.5M) [application/x-gzip] Saving to: ‘maldetect-current.tar.gz’ 100%[======================================>] 1,549,126 --.-K/s in 0.04s 2019-08-04 08:26:22 (41.7 MB/s) - ‘maldetect-current.tar.gz’ saved [1549126/1549126]
Step 3:
cd maldetect-*
Step 4:
sh install.sh
Result:
[root@tutorialspots maldetect-1.6.4]# sh install.sh
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@r-fx.org>
(C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(20188): {sigup} performing signature update check...
maldet(20188): {sigup} local signature set is version 201907043616
maldet(20188): {sigup} new signature set 2019080428438 available
maldet(20188): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(20188): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(20188): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(20188): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(20188): {sigup} verified md5sum of maldet-clean.tgz
maldet(20188): {sigup} unpacked and installed maldet-clean.tgz
maldet(20188): {sigup} signature set update completed
maldet(20188): {sigup} 15549 signatures (12737 MD5 | 2035 HEX | 777 YARA | 0 USER)
Update:
maldet -u
Result:
[root@tutorialspots maldetect-1.6.4]# maldet -u
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(20681): {sigup} performing signature update check...
maldet(20681): {sigup} local signature set is version 2019080428438
maldet(20681): {sigup} latest signature set already installed
Configuration:
Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet
Manual Scan:
To scan a directory, we use command:
maldet -a PATH
Example:
maldet -a /home/?/public_html
Set CronJob for Auto Scanning
In the installation process, a cron job file is installed in /etc/cron.daily/maldet.
#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"
if [ -f "$intcnf" ]; then
source $intcnf
else
echo "\$intcnf not found."
exit 1
fi
if [ -f "$cnf" ]; then
source $cnf
if [ -f "$compatcnf" ]; then
source $compatcnf
fi
else
echo "could not find \$cnf, fatal error, bye."
exit 1
fi
if [ -f "/etc/sysconfig/maldet" ]; then
. /etc/sysconfig/maldet
elif [ -f "/etc/default/maldet" ]; then
. /etc/default/maldet
fi
if [ -f "$cron_custom_conf" ]; then
. $cron_custom_conf
fi
if [ -z "$scan_days" ]; then
scan_days=1
fi
if [ -z "$cron_prune_days" ]; then
cron_prune_days=21
fi
if [ "$find" ]; then
# prune any quarantine/session/tmp data older than 7 days
tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub"
for dir in $tmpdirs; do
if [ -d "$dir" ]; then
$find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
fi
done
fi
if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
# sleep for random 1-999s interval to better distribute upstream load
sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi
if [ "$autoupdate_version" == "1" ]; then
# check for new release version
$inspath/maldet -d >> /dev/null 2>&1
fi
if [ "$autoupdate_signatures" == "1" ]; then
# check for new definition set
$inspath/maldet -u >> /dev/null 2>&1
fi
# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
$inspath/maldet --monitor-report >> /dev/null 2>&1
elif [ "$cron_daily_scan" == "1" ]; then
if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
# ensim
$inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
# psa
$inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
elif [ -d "/usr/local/directadmin" ]; then
# DirectAdmin
$inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
elif [ -d "/var/www/clients" ]; then
# ISPConfig
$inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1
elif [ -d "/etc/webmin/virtual-server" ]; then
# Virtualmin
$inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then
# ISPmanager
$inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
elif [ -d "/var/customers/webs" ]; then
# froxlor
$inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
elif [ -d "/usr/local/vesta" ]; then
# VestaCP
$inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
elif [ -d "/usr/share/dtc" ]; then
# DTC
if [ -f /var/lib/dtc/saved_install_config ]; then
. /var/lib/dtc/saved_install_config
fi
$inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
else
# cpanel, interworx and other standard home/user/public_html setups
$inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
fi
fi
if [ -f "$cron_custom_exec" ]; then
. $cron_custom_exec
fi
This file is used to perform daily updates so that the database is not older than 14 days and runs a daily scan schedule of the newly changed file system.
To active the email alerts once a malware is detected, open the Maldet configuration file that is found in /usr/local/maldetect/conf.maldet and type the following:
email_alert=1 email_subj="Maldet alert from $(hostname)" email_addr="email@domain.com"
1 Comment
Some maldet command examples | Free Online Tutorials
(December 22, 2019 - 4:21 pm)[…] Read more: How to install Linux Malware Detect – Maldet on CentOS 7 […]