[How-To] Linux Malware Detect on Directadmin Powered server

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,143
Location
GMT +7.00
Description

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Installation (run as root)

Code:
cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd $(ls -1d maldetect-*/ | tail -1)
./install.sh

As soon as installation finishes you'll see something similar to:
Code:
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <[email protected]>
            (C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed

Running as cron job

The file /etc/cron.daily/maldet does not need any modification for DirectAdmin compatibles any longer. The support DirectAdmin from a box already.

Manual scanning

To scan all files in /home/ you should run it as following
Code:
# maldet -a /home?/?/domains/?/public_html

or

Code:
# maldet -b -a /home?/?/domains/?/public_html

in a background.

Please, consider that some PHP shells might still stay invisible for maldet.

The maldet website

http://www.rfxn.com/projects/linux-malware-detect/

Update (2019-06-26):

- Connect Virus Definitions from Malware.Experts (if you don't have ClamAV installed):

Code:
perl -pi -e 's#^import_custsigs_md5_url=.*#import_custsigs_md5_url="http://cdn.malware.expert/malware.expert.hdb"#' /usr/local/maldetect/conf.maldet
perl -pi -e 's#^import_custsigs_hex_url=.*#import_custsigs_hex_url="http://cdn.malware.expert/malware.expert.ndb"#' /usr/local/maldetect/conf.maldet


maldet -u

ls -la /usr/local/maldetect/sigs/custom.*.dat


- Connect Virus Definitions from Malware.Experts (with ClamAV installed):

Code:
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf


service freshclam restart


ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*
 
Last edited:
[..]Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:[..]

Thank you for a great How-To! I only like to mention that recently maldetect 1.4.2 was released, and it upgraded itself automatically on my servers, and when it upgraded automatically it did overwrite my customized cron at /etc/cron.daily/maldet and I lost my changes needed for DirectAdmin. So anybody else that has it set to upgrade automatically should now check this file.
 
You're welcome. I'm glad you like it. I wrote to the software developers in order to ask them to modify the crontab file, but did not get a reply from them.
 
Just installed but can't run

# maldet /home?/?/domains/?/public_html
Linux Malware Detect v1.4.2
(C) 2002-2011, R-fx Networks <[email protected]>
(C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 2013022610512
usage maldet [-h|--help] [-l|--log] [-e|--report] [-p|--purge] [-c|--checkout]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-a|--scan-all] [-r|--scan-recent]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-u|--update] [-d|--update-ver]
 
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks
 
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks

Going through docs now and running some tests. Yes it can be set to quarantine files and notifications are sent by email. You can change settings in conf file /usr/local/maldetect/conf.maldet
 
I've updated the guide, thank you.

Hi Alex,

I updated /etc/cron.daily/maldet with the Directadmin paths but when the scan runs it only scans /var/www/html/. So it seems to be skipping the next line.

At least i assume so since there is no mention of it scanned in the log. Running it manually works though.

Denny
 
Hello,

Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

/usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

it would mean running two sessions of maldet. And they are written into different files:

Code:
# ls -la /usr/local/maldetect/sess/session.031313-0405.*
-rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
-rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550

Check this:

Code:
cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)

You should see something like this:

Code:
[root@shared1 sess]# cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)
malware detect scan report for host.server.com:
SCAN ID: 031313-0405.18550
TIME: Mar 13 04:14:28 +0700
PATH: /home*/*/domains/*/public_html
RANGE: 2 days
TOTAL FILES: 1700
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < [email protected] >

Prior to this file will be a session with:

Code:
malware detect scan report for host.server.com:malware detect scan report for shared1.alleanza-ru.net:
SCAN ID: 031313-0405.18517
TIME: Mar 13 04:05:56 +0700
PATH: /var/www/html/*/
RANGE: 2 days
TOTAL FILES: 10
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < [email protected] >
 
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks


Yes, it can be configured to fit your needs. For now we receive the following warnings:

Code:
malware detect scan report for server.domain.com:
SCAN ID: 031113-1404.32421
TIME: Mar 11 14:05:14 +0700
PATH: /home/username/domains/example.com/public_html
TOTAL FILES: 6627
TOTAL HITS: 1
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 031113-1404.32421
FILE HIT LIST:
{CAV}PHP.Hide : /home/user/domains/example.com/public_html/images/stories/gif.php
===============================================
Linux Malware Detect v1.4.2 < [EMAIL="[email protected]"][email protected][/EMAIL] >


A malicious PHP file was uploaded through a vulnerability of JCE/(F)CKeditor of a commonly used free CMS.
 
Hello,

Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

/usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

it would mean running two sessions of maldet. And they are written into different files:

Code:
# ls -la /usr/local/maldetect/sess/session.031313-0405.*
-rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
-rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550

Hi Alex,

No i was checking in /usr/local/maldetect/event_log.

I have installed it on an other server that has much more activity and clients and i am getting results now, so home drives are being scanned, it did find some issues!

thanks for your help!

Denny
 
Just a quick note - FreeBSD users must change some files to start with "#!/usr/local/bin/bash" instead of "/usr/bin/bash" (both before and after installation). Everything else works fine.
 
@Zeiter: I have the same problem as bluebirdnet.
I did the cat command you gave and this was the result:
Code:
alware detect scan report for server10.mydomain.nl:
SCAN ID: 031913-0402.19433
TIME: Mar 19 04:02:21 +0100
PATH: /var/www/html
RANGE: 2 days
TOTAL FILES: 2
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < [email protected] >

Then I went looking for the session files, but only these are present.
Code:
-rw-r--r-- 1 root root 284 Mar 19 15:45 session.031813-0402.8771
-rw-r--r-- 1 root root 285 Mar 19 15:45 session.031913-0402.19433
They both only contain /var/www/html so it seems on my server the second line does not run either.
 
Like I stated only /var/www/html present there:
Code:
malware detect scan report for server10.mydomain.nl:
SCAN ID: 031813-0402.8771
TIME: Mar 18 04:02:13 +0100
PATH: /var/www/html
RANGE: 2 days
TOTAL FILES: 1
TOTAL HITS: 0
TOTAL CLEANED: 0

And I used the maldat daily cronjob with was adjusted here in this thread. This is the part from it:
Code:
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi

I just wonder. Why must this be /home?/?/domains and not /home/?/domains I don't understand the ? in /home.

I run the cronjob again after the 1.42 upgrade i just did... looks as if it's working now.. I will report back.
 
Last edited:
Back
Top