• Linux Malware Detect (Maldet) On CentOS

    Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.


    cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh



    vi /usr/local/maldetect/conf.maldet


    You Can edit the following values :

    • email_alert : If you would like to receive email alerts, then it should be set to 1.
    • email_subj : Set your email subject here.
    • email_addr : Add your email address to receive malware alerts.
    • quar_hits : The default quarantine action for malware hits, it should be set 1.
    • quar_clean : Cleaing detected malware injections, must set to 1.
    • quar_susp : The default suspend action for users wih hits, set it as per your requirements.
    • quar_susp_minuid : Minimum userid that can be suspended.



    During installation, a daily cron job script is installed in /etc/cron.daily/maldet

    #!/usr/bin/env bash
    export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
    export LMDCRON=1
    . /usr/local/maldetect/conf.maldet
    if [ -f "/usr/local/maldetect/conf.maldet.cron" ]; then
            . /usr/local/maldetect/conf.maldet.cron
    find=`which find 2> /dev/null`
    if [ "$find" ]; then
            # prune any quarantine/session/tmp data older than 7 days
            tmpdirs="/usr/local/maldetect/tmp /usr/local/maldetect/sess /usr/local/maldetect/quarantine /usr/local/maldetect/pub"
            for dir in $tmpdirs; do
             if [ -d "$dir" ]; then
              $find $dir -type f -mtime +7 -print0 | xargs -0 rm -f >> /dev/null 2>&1
    if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
            # sleep for random 1-999s interval to better distribute upstream load
            sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
    if [ "$autoupdate_version" == "1" ]; then
            # check for new release version
            /usr/local/maldetect/maldet -d >> /dev/null 2>&1
    if [ "$autoupdate_signatures" == "1" ]; then
            # check for new definition set
            /usr/local/maldetect/maldet -u >> /dev/null 2>&1
    # if we're running inotify monitoring, send daily hit summary
    if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
            /usr/local/maldetect/maldet --monitor-report >> /dev/null 2>&1
            if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                    # ensim
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ 1 >> /dev/null 2>&1
            elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                    # psa
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/ 1 >> /dev/null 2>&1
            elif [ -d "/usr/local/directadmin" ]; then
                    # DirectAdmin
                    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ 1 >> /dev/null 2>&1
            elif [ -d "/var/www/clients" ]; then
                    # ISPConfig
                    /usr/local/maldetect/maldet -b -r /var/www/clients/?/web?/web 1 >> /dev/null 2>&1
            elif [ -d "/etc/webmin/virtual-server" ]; then
                    # Virtualmin
                    /usr/local/maldetect/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ 1 >> /dev/null 2>&1
            elif [ -d "/usr/local/ispmgr" ]; then
                    # ISPmanager
                    /usr/local/maldetect/maldet -b -r /var/www/?/data/,/home/?/data/ 1 >> /dev/null 2>&1
            elif [ -d "/var/customers/webs" ]; then
                    # froxlor
                    /usr/local/maldetect/maldet -b -r /var/customers/webs/ 1 >> /dev/null 2>&1
                    # cpanel, interworx and other standard home/user/public_html setups
                    /usr/local/maldetect/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ 1 >> /dev/null 2>&1


    you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor:

    maldet -m /var,/home


    To scan the files. perticular user

    maldet -a /home/username/

    To scan all user under public_html paths under /home*/ this can be done with:

    maldet --scan-all /home?/?/public_html

    To scan the same path but the content that has been created/modified in the last 5 days:

    maldet --scan-recent /home?/?/public_html 5


    Verify the scan report

    List all scan reports time and SCANID:

    maldet --report list

    Show a specific report details :

         maldet --report SCANID

    Show all scan details from log file:

    grep "{scan}" /usr/local/maldetect/event_log

    Clean all malware results from a previous scan

    maldet -n SCAN ID
    maldet --clean SCAN ID
    maldet -q SCANID

    Restore a file that you have already quarantined

     maldet -s FILENAME
     maldet --restore FILENAME

    Automatically quarantine detected malware
    Please review these configuration variables in /usr/local/maldetect/conf.maldet

     variable     value     description
     quar_hits     number     if the number is different than 0, enables automatic quarantine


    Ignore Files

    There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.


    This is a line spaced file for paths that are to be execluded from search results



    This is a line spaced file for signatures that should be removed from file scanning



    This is a line spaced file for paths that are to be excluded from inotify monitoring



    Categories: Linux

    Comments are currently closed.