-
Linux Malware Detect (Maldet) On CentOS
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
Installation
cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh
Configuration
vi /usr/local/maldetect/conf.maldet
You Can edit the following values :
- email_alert : If you would like to receive email alerts, then it should be set to 1.
- email_subj : Set your email subject here.
- email_addr : Add your email address to receive malware alerts.
- quar_hits : The default quarantine action for malware hits, it should be set 1.
- quar_clean : Cleaing detected malware injections, must set to 1.
- quar_susp : The default suspend action for users wih hits, set it as per your requirements.
- quar_susp_minuid : Minimum userid that can be suspended.
Cronjob
During installation, a daily cron job script is installed in
/etc/cron.daily/maldet
#!/usr/bin/env bash export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH export LMDCRON=1 . /usr/local/maldetect/conf.maldet if [ -f "/usr/local/maldetect/conf.maldet.cron" ]; then . /usr/local/maldetect/conf.maldet.cron fi find=`which find 2> /dev/null` if [ "$find" ]; then # prune any quarantine/session/tmp data older than 7 days tmpdirs="/usr/local/maldetect/tmp /usr/local/maldetect/sess /usr/local/maldetect/quarantine /usr/local/maldetect/pub" for dir in $tmpdirs; do if [ -d "$dir" ]; then $find $dir -type f -mtime +7 -print0 | xargs -0 rm -f >> /dev/null 2>&1 fi done fi if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then # sleep for random 1-999s interval to better distribute upstream load sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1 fi if [ "$autoupdate_version" == "1" ]; then # check for new release version /usr/local/maldetect/maldet -d >> /dev/null 2>&1 fi if [ "$autoupdate_signatures" == "1" ]; then # check for new definition set /usr/local/maldetect/maldet -u >> /dev/null 2>&1 fi # if we're running inotify monitoring, send daily hit summary if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then /usr/local/maldetect/maldet --monitor-report >> /dev/null 2>&1 else if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then # ensim /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ 1 >> /dev/null 2>&1 elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then # psa /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/ 1 >> /dev/null 2>&1 elif [ -d "/usr/local/directadmin" ]; then # DirectAdmin /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ 1 >> /dev/null 2>&1 elif [ -d "/var/www/clients" ]; then # ISPConfig /usr/local/maldetect/maldet -b -r /var/www/clients/?/web?/web 1 >> /dev/null 2>&1 elif [ -d "/etc/webmin/virtual-server" ]; then # Virtualmin /usr/local/maldetect/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ 1 >> /dev/null 2>&1 elif [ -d "/usr/local/ispmgr" ]; then # ISPmanager /usr/local/maldetect/maldet -b -r /var/www/?/data/,/home/?/data/ 1 >> /dev/null 2>&1 elif [ -d "/var/customers/webs" ]; then # froxlor /usr/local/maldetect/maldet -b -r /var/customers/webs/ 1 >> /dev/null 2>&1 else # cpanel, interworx and other standard home/user/public_html setups /usr/local/maldetect/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ 1 >> /dev/null 2>&1 fi fi
you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor:
maldet -m /var,/home
Usage
To scan the files. perticular user
maldet -a /home/username/
To scan all user under public_html paths under /home*/ this can be done with:
maldet --scan-all /home?/?/public_html
To scan the same path but the content that has been created/modified in the last 5 days:
maldet --scan-recent /home?/?/public_html 5
Verify the scan report
List all scan reports time and SCANID:
maldet --report list
Show a specific report details :
maldet --report SCANID
Show all scan details from log file:
grep "{scan}" /usr/local/maldetect/event_log
Clean all malware results from a previous scan
maldet -n SCAN ID maldet --clean SCAN ID or maldet -q SCANID
Restore a file that you have already quarantined
maldet -s FILENAME maldet --restore FILENAME
Automatically quarantine detected malware
Please review these configuration variables in /usr/local/maldetect/conf.maldetvariable value description quar_hits number if the number is different than 0, enables automatic quarantine
Ignore Files
There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.
ignore_paths
This is a line spaced file for paths that are to be execluded from search results
/usr/local/maldetect/ignore_paths
ignore_sigs
This is a line spaced file for signatures that should be removed from file scanning
/usr/local/maldetect/ignore_sigs
ignore_inotify
This is a line spaced file for paths that are to be excluded from inotify monitoring
/usr/local/maldetect/ignore_inotify
How to configure NTP for EMC VNX Data Mover Zpanel Webalizer Stats Module fix
Linux Malware Detect (Maldet) On CentOS
Recent Posts
Categories
Archives
Comments are currently closed.