[How-To] Linux Malware Detect on Directadmin Powered server

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,855
Location
GMT +7.00
Description

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Installation (run as root)

Code:
cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd $(ls -1d maldetect-*/ | tail -1)
./install.sh
As soon as installation finishes you'll see something similar to:
Code:
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <proj@r-fx.org>
            (C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed
Running as cron job

The file /etc/cron.daily/maldet does not need any modification for DirectAdmin compatibles any longer. The support DirectAdmin from a box already.

Manual scanning

To scan all files in /home/ you should run it as following
Code:
# maldet -a /home?/?/domains/?/public_html
or

Code:
# maldet -b -a /home?/?/domains/?/public_html
in a background.

Please, consider that some PHP shells might still stay invisible for maldet.

The maldet website

http://www.rfxn.com/projects/linux-malware-detect/

Update (2019-06-26):

- Connect Virus Definitions from Malware.Experts (if you don't have ClamAV installed):

Code:
perl -pi -e 's#^import_custsigs_md5_url=.*#import_custsigs_md5_url="http://cdn.malware.expert/malware.expert.hdb"#' /usr/local/maldetect/conf.maldet
perl -pi -e 's#^import_custsigs_hex_url=.*#import_custsigs_hex_url="http://cdn.malware.expert/malware.expert.ndb"#' /usr/local/maldetect/conf.maldet


maldet -u

ls -la /usr/local/maldetect/sigs/custom.*.dat

- Connect Virus Definitions from Malware.Experts (with ClamAV installed):

Code:
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf


service freshclam restart


ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,463
[..]Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:[..]
Thank you for a great How-To! I only like to mention that recently maldetect 1.4.2 was released, and it upgraded itself automatically on my servers, and when it upgraded automatically it did overwrite my customized cron at /etc/cron.daily/maldet and I lost my changes needed for DirectAdmin. So anybody else that has it set to upgrade automatically should now check this file.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,855
Location
GMT +7.00
You're welcome. I'm glad you like it. I wrote to the software developers in order to ask them to modify the crontab file, but did not get a reply from them.
 

Voland

Verified User
Joined
May 21, 2005
Messages
66
Just installed but can't run

# maldet /home?/?/domains/?/public_html
Linux Malware Detect v1.4.2
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 2013022610512
usage maldet [-h|--help] [-l|--log] [-e|--report] [-p|--purge] [-c|--checkout]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-a|--scan-all] [-r|--scan-recent]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-u|--update] [-d|--update-ver]
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,200
Location
The Netherlands
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks
 

bluebirdnet

Verified User
Joined
Feb 3, 2010
Messages
123
Location
Canada
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks
Going through docs now and running some tests. Yes it can be set to quarantine files and notifications are sent by email. You can change settings in conf file /usr/local/maldetect/conf.maldet
 

bluebirdnet

Verified User
Joined
Feb 3, 2010
Messages
123
Location
Canada
I've updated the guide, thank you.
Hi Alex,

I updated /etc/cron.daily/maldet with the Directadmin paths but when the scan runs it only scans /var/www/html/. So it seems to be skipping the next line.

At least i assume so since there is no mention of it scanned in the log. Running it manually works though.

Denny
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,855
Location
GMT +7.00
Hello,

Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

/usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

it would mean running two sessions of maldet. And they are written into different files:

Code:
# ls -la /usr/local/maldetect/sess/session.031313-0405.*
-rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
-rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550
Check this:

Code:
cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)
You should see something like this:

Code:
[root@shared1 sess]# cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)
malware detect scan report for host.server.com:
SCAN ID: 031313-0405.18550
TIME: Mar 13 04:14:28 +0700
PATH: /home*/*/domains/*/public_html
RANGE: 2 days
TOTAL FILES: 1700
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
Prior to this file will be a session with:

Code:
malware detect scan report for host.server.com:malware detect scan report for shared1.alleanza-ru.net:
SCAN ID: 031313-0405.18517
TIME: Mar 13 04:05:56 +0700
PATH: /var/www/html/*/
RANGE: 2 days
TOTAL FILES: 10
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,855
Location
GMT +7.00
Two things I was wondering about: does it remove/change customer files when it detects a threat? And does it mail a report or something after the cron ran?

Thanks

Yes, it can be configured to fit your needs. For now we receive the following warnings:

Code:
malware detect scan report for server.domain.com:
SCAN ID: 031113-1404.32421
TIME: Mar 11 14:05:14 +0700
PATH: /home/username/domains/example.com/public_html
TOTAL FILES: 6627
TOTAL HITS: 1
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 031113-1404.32421
FILE HIT LIST:
{CAV}PHP.Hide : /home/user/domains/example.com/public_html/images/stories/gif.php
===============================================
Linux Malware Detect v1.4.2 < [EMAIL="proj@rfxn.com"]proj@rfxn.com[/EMAIL] >

A malicious PHP file was uploaded through a vulnerability of JCE/(F)CKeditor of a commonly used free CMS.
 

bluebirdnet

Verified User
Joined
Feb 3, 2010
Messages
123
Location
Canada
Hello,

Do you mean /usr/local/maldetect/sess/session.XXXXXX-XXXX.XXXXX files? Or not?
In the file /usr/local/maldetect/sess/session.last you can find ID of the last scan, but as we have two lines:

/usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1

it would mean running two sessions of maldet. And they are written into different files:

Code:
# ls -la /usr/local/maldetect/sess/session.031313-0405.*
-rw-r--r-- 1 root root 290 Mar 13 04:05 /usr/local/maldetect/sess/session.031313-0405.18517
-rw-r--r-- 1 root root 306 Mar 13 04:14 /usr/local/maldetect/sess/session.031313-0405.18550
Hi Alex,

No i was checking in /usr/local/maldetect/event_log.

I have installed it on an other server that has much more activity and clients and i am getting results now, so home drives are being scanned, it did find some issues!

thanks for your help!

Denny
 

wattie

Verified User
Joined
May 31, 2008
Messages
993
Location
Bulgaria
Just a quick note - FreeBSD users must change some files to start with "#!/usr/local/bin/bash" instead of "/usr/bin/bash" (both before and after installation). Everything else works fine.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
@Zeiter: I have the same problem as bluebirdnet.
I did the cat command you gave and this was the result:
Code:
alware detect scan report for server10.mydomain.nl:
SCAN ID: 031913-0402.19433
TIME: Mar 19 04:02:21 +0100
PATH: /var/www/html
RANGE: 2 days
TOTAL FILES: 2
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
Then I went looking for the session files, but only these are present.
Code:
-rw-r--r-- 1 root root 284 Mar 19 15:45 session.031813-0402.8771
-rw-r--r-- 1 root root 285 Mar 19 15:45 session.031913-0402.19433
They both only contain /var/www/html so it seems on my server the second line does not run either.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Like I stated only /var/www/html present there:
Code:
malware detect scan report for server10.mydomain.nl:
SCAN ID: 031813-0402.8771
TIME: Mar 18 04:02:13 +0100
PATH: /var/www/html
RANGE: 2 days
TOTAL FILES: 1
TOTAL HITS: 0
TOTAL CLEANED: 0
And I used the maldat daily cronjob with was adjusted here in this thread. This is the part from it:
Code:
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi
I just wonder. Why must this be /home?/?/domains and not /home/?/domains I don't understand the ? in /home.

I run the cronjob again after the 1.42 upgrade i just did... looks as if it's working now.. I will report back.
 
Last edited:
Top