Page 1 of 5 123 ... LastLast
Results 1 to 20 of 95

Thread: [How-To] Linux Malware Detect on Directadmin Powered server

  1. #1
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476

    [How-To] Linux Malware Detect on Directadmin Powered server

    Description

    Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

    Installation (run as root)

    Code:
    cd /usr/local/src
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -zxvf maldetect-current.tar.gz
    cd $(ls -1d maldetect-*/ | tail -1)
    ./install.sh
    As soon as installation finishes you'll see something similar to:
    Code:
    Linux Malware Detect v1.4.1
                (C) 2002-2011, R-fx Networks <proj@r-fx.org>
                (C) 2011, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL
    
    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    
    maldet(19402): {sigup} performing signature update check...
    maldet(19402): {sigup} local signature set is version 2012011929852
    maldet(19402): {sigup} latest signature set already installed
    Running as cron job

    The file /etc/cron.daily/maldet does not need any modification for DirectAdmin compatibles any longer. The support DirectAdmin from a box already.

    Manual scanning

    To scan all files in /home/ you should run it as following
    Code:
    # maldet -a /home?/?/domains/?/public_html
    or

    Code:
    # maldet -b -a /home?/?/domains/?/public_html
    in a background.

    Please, consider that some PHP shells might still stay invisible for maldet.

    The maldet website

    http://www.rfxn.com/projects/linux-malware-detect/

    Update (2019-06-26):

    - Connect Virus Definitions from Malware.Experts (if you don't have ClamAV installed):

    Code:
    perl -pi -e 's#^import_custsigs_md5_url=.*#import_custsigs_md5_url="http://cdn.malware.expert/malware.expert.hdb"#' /usr/local/maldetect/conf.maldet
    perl -pi -e 's#^import_custsigs_hex_url=.*#import_custsigs_hex_url="http://cdn.malware.expert/malware.expert.ndb"#' /usr/local/maldetect/conf.maldet
    
    
    maldet -u
    
    ls -la /usr/local/maldetect/sigs/custom.*.dat

    - Connect Virus Definitions from Malware.Experts (with ClamAV installed):

    Code:
    echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
    echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
    echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
    echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf
    
    
    service freshclam restart
    
    
    ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*
    Last edited by zEitEr; 06-26-2019 at 12:23 AM. Reason: Actualized setup + Malware.Experts virus definitions connected
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  2. #2
    Join Date
    Apr 2009
    Posts
    2,340
    Quote Originally Posted by zEitEr View Post
    [..]Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:[..]
    Thank you for a great How-To! I only like to mention that recently maldetect 1.4.2 was released, and it upgraded itself automatically on my servers, and when it upgraded automatically it did overwrite my customized cron at /etc/cron.daily/maldet and I lost my changes needed for DirectAdmin. So anybody else that has it set to upgrade automatically should now check this file.

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    You're welcome. I'm glad you like it. I wrote to the software developers in order to ask them to modify the crontab file, but did not get a reply from them.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  4. #4
    Join Date
    May 2005
    Posts
    66
    Just installed but can't run

    # maldet /home?/?/domains/?/public_html
    Linux Malware Detect v1.4.2
    (C) 2002-2011, R-fx Networks <proj@r-fx.org>
    (C) 2011, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2

    signature set: 2013022610512
    usage maldet [-h|--help] [-l|--log] [-e|--report] [-p|--purge] [-c|--checkout]
    [-b|--background] [-m|--monitor] [-k|--kill-monitor] [-a|--scan-all] [-r|--scan-recent]
    [-q|--quarantine] [-s|--restore] [-n|--clean] [-u|--update] [-d|--update-ver]

  5. #5
    Join Date
    Jul 2005
    Posts
    2,007
    maldet -a /home?/?/domains/?/public_html

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    I've updated the guide, thank you.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  7. #7
    Join Date
    Feb 2010
    Location
    Canada
    Posts
    123
    thanks Alex, very good guide! This project looks great.
    -

  8. #8
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,185
    Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

    Thanks

  9. #9
    Join Date
    Feb 2010
    Location
    Canada
    Posts
    123
    Quote Originally Posted by Arieh View Post
    Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

    Thanks
    Going through docs now and running some tests. Yes it can be set to quarantine files and notifications are sent by email. You can change settings in conf file /usr/local/maldetect/conf.maldet
    -

  10. #10
    Join Date
    Feb 2010
    Location
    Canada
    Posts
    123
    Quote Originally Posted by zEitEr View Post
    I've updated the guide, thank you.
    Hi Alex,

    I updated /etc/cron.daily/maldet with the Directadmin paths but when the scan runs it only scans /var/www/html/. So it seems to be skipping the next line.

    At least i assume so since there is no mention of it scanned in the log. Running it manually works though.

    Denny

  11. #11
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    Hello,

    Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
    In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

    /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

    it would mean running two sessions of maldet. And they are written into different files:

    Code:
    # ls -la /usr/local/maldetect/sess/session.031313-0405.*
    -rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
    -rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550
    Check this:

    Code:
    cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)
    You should see something like this:

    Code:
    [root@shared1 sess]# cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)
    malware detect scan report for host.server.com:
    SCAN ID: 031313-0405.18550
    TIME: Mar 13 04:14:28 +0700
    PATH: /home*/*/domains/*/public_html
    RANGE: 2 days
    TOTAL FILES: 1700
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    Prior to this file will be a session with:

    Code:
    malware detect scan report for host.server.com:malware detect scan report for shared1.alleanza-ru.net:
    SCAN ID: 031313-0405.18517
    TIME: Mar 13 04:05:56 +0700
    PATH: /var/www/html/*/
    RANGE: 2 days
    TOTAL FILES: 10
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    Quote Originally Posted by Arieh View Post
    Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

    Thanks

    Yes, it can be configured to fit your needs. For now we receive the following warnings:

    Code:
    malware detect scan report for server.domain.com:
    SCAN ID: 031113-1404.32421
    TIME: Mar 11 14:05:14 +0700
    PATH: /home/username/domains/example.com/public_html
    TOTAL FILES: 6627
    TOTAL HITS: 1
    TOTAL CLEANED: 0
    
    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 031113-1404.32421
    FILE HIT LIST:
    {CAV}PHP.Hide : /home/user/domains/example.com/public_html/images/stories/gif.php
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >

    A malicious PHP file was uploaded through a vulnerability of JCE/(F)CKeditor of a commonly used free CMS.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  13. #13
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,185
    Thank you zEitEr, looks really good.

  14. #14
    Join Date
    Feb 2010
    Location
    Canada
    Posts
    123
    Quote Originally Posted by zEitEr View Post
    Hello,

    Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
    In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

    /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

    it would mean running two sessions of maldet. And they are written into different files:

    Code:
    # ls -la /usr/local/maldetect/sess/session.031313-0405.*
    -rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
    -rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550
    Hi Alex,

    No i was checking in /usr/local/maldetect/event_log.

    I have installed it on an other server that has much more activity and clients and i am getting results now, so home drives are being scanned, it did find some issues!

    thanks for your help!

    Denny
    -

  15. #15
    Join Date
    May 2008
    Posts
    870
    Just a quick note - FreeBSD users must change some files to start with "#!/usr/local/bin/bash" instead of "/usr/bin/bash" (both before and after installation). Everything else works fine.

  16. #16
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    If not to modify the files, FreeBSD users might want to create a symlink.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  17. #17
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,912
    @Zeiter: I have the same problem as bluebirdnet.
    I did the cat command you gave and this was the result:
    Code:
    alware detect scan report for server10.mydomain.nl:
    SCAN ID: 031913-0402.19433
    TIME: Mar 19 04:02:21 +0100
    PATH: /var/www/html
    RANGE: 2 days
    TOTAL FILES: 2
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    Then I went looking for the session files, but only these are present.
    Code:
    -rw-r--r-- 1 root root 284 Mar 19 15:45 session.031813-0402.8771
    -rw-r--r-- 1 root root 285 Mar 19 15:45 session.031913-0402.19433
    They both only contain /var/www/html so it seems on my server the second line does not run either.
    Greetings, Richard.

  18. #18
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,476
    And what is there in session.031813-0402.8771?
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  19. #19
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,912
    Like I stated only /var/www/html present there:
    Code:
    malware detect scan report for server10.mydomain.nl:
    SCAN ID: 031813-0402.8771
    TIME: Mar 18 04:02:13 +0100
    PATH: /var/www/html
    RANGE: 2 days
    TOTAL FILES: 1
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    And I used the maldat daily cronjob with was adjusted here in this thread. This is the part from it:
    Code:
    else
            # scan the last 2 days of file changes
            if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                    # ensim
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
            elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                    # psa
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
            elif [ -d "/usr/local/directadmin" ]; then
                    # DirectAdmin
                    /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
            else
                    # cpanel, interworx and other standard home/user/public_html setups
                    /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
            fi
    fi
    I just wonder. Why must this be /home?/?/domains and not /home/?/domains I don't understand the ? in /home.

    I run the cronjob again after the 1.42 upgrade i just did... looks as if it's working now.. I will report back.
    Last edited by Richard G; 03-19-2013 at 12:08 PM.
    Greetings, Richard.

  20. #20
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,912
    Yep... it's working OK now after the upgrade.
    Sorry for the inconvenience.
    Greetings, Richard.

Page 1 of 5 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •