shell scanner

[ditto]

[..] Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:

#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi

After I replaced the content of /etc/cron.daily/maldet with your edited version above, it give this error on email every night:

Anacron job 'cron.daily' on server.name.com

/etc/cron.daily/maldet:
/etc/cron.daily/maldet: line 1: !/bin/bash: No such file or directory

 

[SeLLeRoNe]

Cause you are missing the starting # in the first line

Or, you dont have bash (that should be strange).

Regards

 

[ditto]

Wow, I feel stupid. You are right, I did miss # in start in first line. Thanks a lot!

 

[SeLLeRoNe]

Just a note, the cron.daily line should be changed to match any domain of any users: /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html
As command posted little later

Regards

 

[zEitEr]

Is that a question?

If you want you can run this from a shell:

/usr/local/maldetect/maldet -r /home?/?/domains/?/public_html 60

it will run the scan of files modified within the last 60 days. And 60 days are the max allowed by this software.

 

[SeLLeRoNe]

Yes.. i did not correctly read your /etc/cron.daily/maldet file, thot there was a wrong command not correctly facing the directadmin specs

Regards

 

[Richard G]

There is also another crontab created in /etc/cron.d called maldat_pub.

It says this:

*/10 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1

What does the --mkpubpaths do?

It says this:

Given that the maldetect installation path is owned by user root, we either need to set a pub
path world writable (777) or populate the pub path with user owned paths. It was undesirable
to set any path world writable and as such a feature to populate path data was created. This
feature is controlled with the --mkpubpaths flag and is executed from cron every 10 minutes,
it will only execute if the public_scan variable is enabled in conf.maldet. As such, it is
important to make sure the public_scan variable is set to enabled (1) in conf.maldet and it is
advised to run 'maldet --mkpubpaths' manually to prepopulate the user paths. There after, the
cron will ensure new users have paths created no later than 10 minutes after creation.

But I don't understand that completely (I'm not English).
Prepopulate the users paths? Are there things created in the users public_html paths or something? Or am I misunderstanding?

 

[zEitEr]

No, it checks only pub directory in maldetect installation path and changes its permissions if it's needed.

Related to

# Allow non-root users to perform malware scans. This must be
# enabled when using mod_security2 upload scanning or if you
# want to allow users to perform scans. When enabled, this will
# populate the /usr/local/maldetect/pub/ path with user owned
# quarantine, session and temporary paths to faciliate scans.
# These paths are populated through cron every 10min with the
# /etc/cron.d/maldet_pub cronjob.
public_scan=0

from /usr/local/maldetect/conf.maldet