[How-To] Linux Malware Detect on Directadmin Powered server

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Try running the update manually from console (ssh) and see what happens:
Code:
/usr/local/maldetect/maldet -u
Do you also get the error that the signature cannot be downloaded? If not, maybe it's a firewall issue?
 

RickDeckard

Verified User
Joined
Mar 18, 2011
Messages
65
Try running the update manually from console (ssh) and see what happens:
Code:
/usr/local/maldetect/maldet -u
Tried

PHP:
[root@srv01 maldetect-1.4.2]# /usr/local/maldetect/maldet -u
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19218): {sigup} performing signature update check...
maldet(19218): {sigup} local signature set is version 201205035915
maldet(19218): {sigup} could not download signature data from server, please try again later.
[root@srv01 maldetect-1.4.2]#
:(
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Seems you either have a problem with the outgoing connection to that server, our for some reason your ip is blocked on the maldet server or something else is happening with the connection or download.
I presume you've got wget installed and correct rights on it.

I think you best can write an email to the author. I've contacted him in the past, he seems like a nice guy. I'm sure you both can fix the problem.
 

RickDeckard

Verified User
Joined
Mar 18, 2011
Messages
65
Thanks for your reply, i've just updated both Centos and Custombuild on my server withouth problems, so wget work correctly.
I'm writing to maldetect author.
 

RickDeckard

Verified User
Joined
Mar 18, 2011
Messages
65
Now on process monitor, sometimes i've this message:

PHP:
28468	root	25	0	59296	50m	472	S	15.7	0.6	44:04.87	/bin/bash /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2
11324	root	25	0	24472	3304	1300	R	11.8	0.0	0:00.06	/usr/bin/perl /usr/local/maldetect/hexfifo.pl
I've not set any cron, how to disable maldetect until setup process is done correctly?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I got a problem with maldat notification.
We scan the user folders every night by using a batchfile. Now it seems a user got infected, but we did not get any message about it.
When I do a manual scan, I have to look at the log and then see the malware infection.

As I remember from before, you could disable notify's and you only got notified when something was found. I just looked in conf.maldat but can't find the option anymore. So I had to enable all notifications again.
Is that correct or am I missing something or doing something wrong?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Changing the config seems to have fixed it. Odd though, because there was an option before.

Next question, this is the line to scan:
Code:
maldet -a /home?/?/domains/?/public_html
Is there also a line to scan and clean the same time?
I tried with "maldat -an" and "maldet -a -n" but that does not work. However, when you look at the results after a scan, it says "cleaned 0" which gives the impression that it must be possible to scan and clean at the same time.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Seems something change again.
On 2 of my servers, suddenly the crontab is renamed from maldet to maldet_pub.
The content is changed from the full content to only this:
Code:
*/10 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1
Seems something is not the way it should be, I never set something up like this running every 10 minutes.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Richard,

You might need to check /etc/cron.daily/maldet but not /etc/cron.d/maldet_pub
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
LoL Oeps... you are right. Thank you for pointing it out to me.

However, 1 of the accounts was infected and I did not get an email from maldet about it.
Still I have email_alert=1 in conf.maldet.
Any clues on why this was not send?
 

donkeyKICK

Verified User
Joined
Jul 24, 2007
Messages
416
When I try to set the monitoring I try the following code:
Code:
maldet --monitor users
However, what I get is:
maldet(12981): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
inotify_log is empty

Any suggestions?
 
Last edited:

Arieh

Verified User
Joined
May 27, 2008
Messages
1,200
Location
The Netherlands
When I try to set the monitoring I try the following code:
Code:
maldet --monitor users
However, what I get is:

inotify_log is empty

Any suggestions?
Just testing this thing out, had the same. You can fix it with yum install glibc.i686


Also, the steps in the first post of this topic are not necessary anymore as far as I can see, the files are modified like that when you download it.
 

Tan

New member
Joined
Jan 7, 2014
Messages
2
whitelist maldet

i have som files encode by base64. they not malware.
how to add the file to white list of maldet?
thanks!
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Since the new version I still got the problem that no emails are send not even when enabling the option to also send mail when nothing is found, and I'm not the only one.
I also wrote the coder about this problem a couple of days ago, but until now there was no reply.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
There were some posts here discussing a possible Plugin for maldet, which would enablre admins to automate detection, removal, and notificaiton to users of detection of, malware. it's all been moved here (Plugin for maldet ).

Jeff
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
That plugin is not ready yet. At this moment, Maldetect is not sending out mail when infected files are found.
Any other way to fix this?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Seems to me there is a bug in maldetect.
If quar_hits=0 it should only report, not disinfect. But it does not report, so this is a bug.
If quar_hits=1 it reports and disinfects.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Did you try to remove the whole directory of maldet and reinstall it? I don't use quarantine (quar_hits=0) and still get email alerts.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I did that some time ago, but I will try it again on one server. It that works I'll try the other server too.

Oeps... hope they come back online soon:
HTTP request sent, awaiting response... 502 Bad Gateway
2014-11-22 22:55:25 ERROR 502: Bad Gateway.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Maldetect is not scanning all users files on the nightly scan!!

A virus program in Wordpress detected a virus and I got a mail about it. Now I wondered why Maldetect did not notice it and investigated.
Now this happens on a nightly scan watch the number of files:
Jan 21 03:34:40 server18 maldet(11048): {scan} found ClamAV clamscan binary, using as scanner engine...
Jan 21 03:34:40 server18 maldet(11048): {scan} scan of /home*/*/domains/*/public_html (7451 files) in progress...
Jan 21 03:34:49 server18 maldet(11048): {scan} scan completed on /home*/*/domains/*/public_html: files 7451, malware hits 0, cleaned hits 0
Seems oke, no malware hits found.
But I did not trust it and did a manual Maldetect scan just to be sure and look what happens look again at the number of files:
maldet(9726): {scan} signatures loaded: 13714 (11813 MD5 / 1901 HEX)
maldet(9726): {scan} building file list for /home/user/domains/userdomain.nl/public_html/, this might take awhile...
maldet(9726): {scan} file list completed, found 6737 files...
maldet(9726): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(9726): {scan} scan of /home/user/domains/userdomain.nl/public_html/ (6737 files) in progress...
maldet(9726): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(9726): {scan} scan completed on /home/user/domains/userdomain.nl/public_html/: files 6737, malware hits 2, cleaned hits 0
maldet(9726): {scan} scan report saved, to view run: maldet --report 012115-1537.9726
This is the result in the email I got from the manual scan:
{HEX}gzbase64.inject.unclassed.15 : /home/user/domains/userdomain.nl/public_html/footer.php
Same goes for functions.php.

As you can see there are 2 issues now, but in fact there are 3 issues.
1.) There IS malware found, which is indeed present in 2 files on that domain which was not found on the automatic scan.

2.) A manual scan finds 6737 files in my domain only, but on the server scan it says there are only 7451 files present? This can't be true, because I'm sure of a couple of domains which have minimum over 3000 files themselves. So the real amount of files should be lots more.
And with this test it has nothting to do with depth, because I placed those to "infected" files in my public_html folder, so the automatic (cronjob) scan should have found them in any case.

3.) There are 2 files, named functions.php and footer.php which come from a free wordpress theme. After some investigations it seems that ALL free themes coming from http://www.freewordpressthemes4u.com/ are encrypted in base64 and Maldetect sees them as malware infected. In fact these are false positives.
I wrote an email about this to the creators of Maldetect, but until now (7 days later) no answer yet and I don't expect to get any answer either.

So I got 2 questions now.
A.) The major problem is ofcourse issue 1 and 2. How can this be fixed so automatic scan detects the same what manual scan is detecting?

B.) As far as I could see there is no possibility to exclude specific files from scanning. There will be more users making use of these free Wordpress themes, because they are nice, and lots of them will not go and try do decrypt them, so all Maldetect users will encounter this issue eventually.
Is there a way to avoid these false positives in the future, so users can use these free themes, which are in fact not infected?
 
Last edited:
Top