[How-To] Linux Malware Detect on Directadmin Powered server

Richard G said:
I just wonder. Why must this be /home?/?/domains and not /home/?/domains I don't understand the ? in /home.
Click to expand...

That's just for a case if you've got several /home locations:

/home/
/home1/
/home2/
...
...
...
/homeN/

Yep... it's working OK now after the upgrade.
Click to expand...

I'm glad to know that.
 
Maybe I missed this somewhere, both scans are running fine now which also is proven by the log:
Mar 21 04:02:15 server10 maldet(20337): {scan} scan completed on /home*/*/domains/*/public_html: files 1006, malware hits 0, cleaned hits 0
Click to expand...

But I only get this email:
/etc/cron.daily/maldet:

Linux Malware Detect v1.4.2
(C) 2002-2011, R-fx Networks <[email protected]>
(C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19433): {scan} launching scan of /var/www/html changes in last 2d to background, see /usr/local/maldetect/event_log for progress
Click to expand...
Isn't it possible to get the report for the home directory scan too?
Otherwise I could try to change the order and swap both lines in the maldet cronjob. But it would be nicer of one would get a report of both actions, is that possible?

Or even better, disable this cron email when nothing bad is found?
I know I can disable email in conf.maldet but wouldn't that disable all emails, also when something is found?
 
That's email is from cron, and is not a maldet report. That is because of the new /etc/cron.daily/maldet file, which originally looks as following:

Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi

        # scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
        fi
fi


in the file should find the section:

Code: 
# scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
        fi

and change it to (we add >> /dev/null 2>&1)

Code: 
# scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
         fi

so it would look like the following:

Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi

        # scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
        fi
fi

I'll update the first message.
 
Thank you very much.
The strange part is, I did not have that last "scan docroot" part in there anymore. On 2 servers, but only this:
Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi

But I will overwrite the complete cronjob again and see what happens.
Thank you!
 
Overwritten again as I said and those extra lines seem to have done the job.
Did not get any cron email anymore. Thank you!
 
zEitEr said:
Note, in the file we should find the section:

Code: 
# scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
        fi

and change it to (so we add >> /dev/null 2>&1 at the end of two lines)

Code: 
# scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
         fi
Click to expand...

Thank you for this great How-To, but I cannot find the section you have mentioned in /etc/cron.daily/maldet

Installed it a minute ago exactly according to your tutorial

Thank you again
 
smhnaji said:
Thank you for this great How-To, but I cannot find the section you have mentioned in /etc/cron.daily/maldet

Installed it a minute ago exactly according to your tutorial

Thank you again
Click to expand...
Sorry, I hadn't followed the conversation. OK, I will add those lines. Thank you again :)

Wish I could delete my own post!
 
zEitEr said:
You're welcome. I'm glad you like it. I wrote to the software developers in order to ask them to modify the crontab file, but did not get a reply from them.
Click to expand...

They have now listen to you. They have now implemented support for DirectAdmin. However I do not like how they did it. They did it without changing the version number, and they backported the change to the changelog dated Feb 25th 2013 - that is not profesional! Here is the changed changelog http://www.rfxn.com/appdocs/CHANGELOG.maldetect

Code: 
v1.4.2 | Feb 25th 2013:
[New] detection and alerting of libkeyutils root compromised libraries
[Change] cron.daily now tests for directadmin and scans appropriate user domain paths
[Change] removed temporary paths /var/tmp, /tmp, and /dev/shm from cron.daily which are
         now added explicitly to all scanning paths / modes

I noticed this tonight because my maldet installation automatically upgraded itself, but it upgraded from the same version, to the same version number. Here is one line from my maldet "event_log" tonight:

Code: 
Apr 10 03:10:41 server maldet(19622): {update} completed update v1.4.2 => v1.4.2, running signature updates...

Maldet then overwrite my etc/cron.daily/maldet file, the new content seems to be according to zEitEr recommendation, so it seems to work correct wihout needing any change now. Here is the content of the default etc/cron.daily/maldet after upgrade from v1.4.2 to v1.4.2:

Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
	# scan the last 2 days of file changes
	if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
		# ensim
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
	elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
		# psa
		/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
		/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
	elif [ -d "/usr/local/directadmin" ]; then
		# DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
	else
		# cpanel, interworx and other standard home/user/public_html setups
	        /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
	fi

	# scan default apache docroot paths
	if [ -d "/var/www/html" ]; then
		/usr/local/maldetect/maldet -b -r /var/www/html 2
	fi
	if [ -d "/usr/local/apache/htdocs" ]; then
		/usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
	fi
fi

I do not trust developers that make changes in silence without changing the version numbers, and also adding text in old dates changelog!
 
Last edited:
I also don't like developers that make unasked changes to existing crontabs.
But I like the scanner so I hope they have learned from this.

And you have to add the >> /dev/null 2>&1 again to the last few lines. Developers forgot that too.
 
Thanks for the reminder, Richard G. I have now added back >> /dev/null 2>&1 to etc/cron.daily/maldet

Does anybody know how to turn off automatic upgrade of maldetect when there is a new version? I have looked in /usr/local/maldetect/conf.maldet but did not find any setting for it there.

Maybe I should simply comment out this line in etc/cron.daily/maldet?:

Code: 
# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

Or is that not the correct way to do it? I would like it to notify me if possible, but I would not like it to upgrade automatically. What if the developers box get hacked? Then we all wake up the next morning finding that all of our servers is root-hacked!
 
Then we all wake up the next morning finding that all of our servers is root-hacked!
Click to expand...
Oops... Good thinking! That was something I didn't even think of, but is in fact a possibility.
Maybe we can mail the author of maldet and ask him this or ask him to make an option to only notify us about updates so we can do it ourselves. In fact.... I just send them an email.

As far as I can see you are correct. Commenting the maldet -d line should disable the new-version check.
 
Last edited:
I just got a reply of the creator of maldet. In version 1.5 there will be an option to disable automatic updates.
Since there were also some comments on the changelog which I passed through to him, I will post his reply here, so you can see for yourself how it's all started and what new things are coming.
The author is open for suggesions and as you can see, he looks like a nice guy and explains everything asked.

Thank you for reaching out to me regarding your concerns and those
communicated by others on the DA forums.

The rfxn.com projects are created first and foremost for my own use in
my day-to-day job, as convenience tools and a means to address issues I
run into on a daily basis. It is that experience and the issues I face
daily, that guides me in the creation of my projects and how they are
released, modified and developed going forward. At times, this can
conflict with the transparency or logic to releases or silent changes
that may go live. Any such transparency gaps or silent version changes
are often done so to address an issue I have run into on a given day and
required an immediate resolution of.

From my perspective, the rfxn.com tools are vital components of the
servers I maintain for my employer and I do apologize if any of my
changes occasionally do not mesh with development best practices. The
projects are released GPL and as-is, I do so on the basis that if they
are convenient and useful to me, surely they will be for others as well.

That all being said, transparency is important and though the few
backported silent changes I may make, generally I try maintain good
changelogs and hold myself to a set of standards that users of my
projects can trust in. The development changelog of LMD 1.5 currently in
the works can be viewed below:
http://rfxn.com/downloads/CHANGELOG.maldet.dev

As time permits, I hope to complete version 1.5 over the next few weeks
which will bring some great changes to the project as can be seen from
the changelog.

With regards to the security of the rfxn.com server, it is important to
note that the projects development and source data does not reside on
the rfxn.com public web servers but instead backend development systems
located at my home. The project downloads on rfxn.com are synced from my
development system every 30 minutes with explicit delete/overwrite
enabled, such that if the rfxn.com server was ever trojaned or
compromised, the downloads data would be overwritten with clean
information within 30 minutes. Further, all content in the downloads
repository is md5 hashed and the development vs production downloads
copies are compared every 30 minutes as well, if issues are found an
alert is immediately dispatched to me and the download file is
automatically disabled till such time I manually investigated/enable it
again.

Although there is no silver bullet, I feel confident in stating that the
downloads are well protected. I make great efforts in protecting the
rfxn.com downloads repository with both a secure server and secure
content distribution practices which together provide a high degree of
assurance. I will however add an option into 1.5 that allows the
disabling of automatic version updates.

Please let me know if you have any additional thoughts or concerns and I
will be glad to discuss them, thank you.
Click to expand...

So if anybody has any thoughts or concerns, feel free to mail the author.
 
Nice to know that, thank you Richard.

By the way, has anybody tried integration of maldet into mod_security?

Here is a script /usr/local/maldetect/modsec.sh for live checking of uploaded through apache files:

Code: 
#!/bin/sh
file="$1"
cd /tmp ; /usr/local/maldetect/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file"

If yes, how are results?
 
Maldet shows that it sent some files to quarantine folder, but when I checked, it has only .info files. Anyone see this too or just me? It happens in the latest update 1.4.2.
 
Richard G said:
Any special names on those .info files? All the quarantine directory's on our servers are empty.
Click to expand...

No, the .info file name looks normal. Usually it's original name.scanid.info. It just doesn't have effected files anymore.
 
I've tried today to install maldetect but i've this error:

PHP: 
[root@srv01 src]# cd maldetect-1.4.2
[root@srv01 maldetect-1.4.2]# ./install.sh
Linux Malware Detect v1.4.1
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

imported config options from /usr/local/maldetect.last/conf.maldet
maldet(13825): {sigup} performing signature update check...
maldet(13825): {sigup} local signature set is version 201205035915
maldet(13825): {sigup} could not download signature data from server, please try again later.
[root@srv01 maldetect-1.4.2]#

I've tried many times, what's wrong?
 
You must log in or register to reply here.
Back
Top