Linux Malware Detect (Maldet) On CentOS

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Installation

cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh

 

Configuration

vi /usr/local/maldetect/conf.maldet

You Can edit the following values :

• email_alert : If you would like to receive email alerts, then it should be set to 1.
• email_subj : Set your email subject here.
• email_addr : Add your email address to receive malware alerts.
• quar_hits : The default quarantine action for malware hits, it should be set 1.
• quar_clean : Cleaing detected malware injections, must set to 1.
• quar_susp : The default suspend action for users wih hits, set it as per your requirements.
• quar_susp_minuid : Minimum userid that can be suspended.

Cronjob

During installation, a daily cron job script is installed in /etc/cron.daily/maldet

#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
. /usr/local/maldetect/conf.maldet
if [ -f "/usr/local/maldetect/conf.maldet.cron" ]; then
        . /usr/local/maldetect/conf.maldet.cron
fi
find=`which find 2> /dev/null`
if [ "$find" ]; then
        # prune any quarantine/session/tmp data older than 7 days
        tmpdirs="/usr/local/maldetect/tmp /usr/local/maldetect/sess /usr/local/maldetect/quarantine /usr/local/maldetect/pub"
        for dir in $tmpdirs; do
         if [ -d "$dir" ]; then
          $find $dir -type f -mtime +7 -print0 | xargs -0 rm -f >> /dev/null 2>&1
         fi
        done
fi

if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
        # sleep for random 1-999s interval to better distribute upstream load
        sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi

if [ "$autoupdate_version" == "1" ]; then
        # check for new release version
        /usr/local/maldetect/maldet -d >> /dev/null 2>&1
fi

if [ "$autoupdate_signatures" == "1" ]; then
        # check for new definition set
        /usr/local/maldetect/maldet -u >> /dev/null 2>&1
fi

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --monitor-report >> /dev/null 2>&1
else
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ 1 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/ 1 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ 1 >> /dev/null 2>&1
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                /usr/local/maldetect/maldet -b -r /var/www/clients/?/web?/web 1 >> /dev/null 2>&1
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                /usr/local/maldetect/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ 1 >> /dev/null 2>&1
        elif [ -d "/usr/local/ispmgr" ]; then
                # ISPmanager
                /usr/local/maldetect/maldet -b -r /var/www/?/data/,/home/?/data/ 1 >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                /usr/local/maldetect/maldet -b -r /var/customers/webs/ 1 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ 1 >> /dev/null 2>&1
        fi
fi

you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor:

maldet -m /var,/home

Usage

To scan the files. perticular user

maldet -a /home/username/

To scan all user under public_html paths under /home*/ this can be done with:

maldet --scan-all /home?/?/public_html

To scan the same path but the content that has been created/modified in the last 5 days:

maldet --scan-recent /home?/?/public_html 5

Verify the scan report

List all scan reports time and SCANID:

maldet --report list

Show a specific report details :

     maldet --report SCANID

Show all scan details from log file:

grep "{scan}" /usr/local/maldetect/event_log

Clean all malware results from a previous scan

maldet -n SCAN ID
maldet --clean SCAN ID
or
maldet -q SCANID

Restore a file that you have already quarantined

 maldet -s FILENAME
 maldet --restore FILENAME

Automatically quarantine detected malware
Please review these configuration variables in /usr/local/maldetect/conf.maldet

 variable     value     description
 quar_hits     number     if the number is different than 0, enables automatic quarantine

Ignore Files

There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.

ignore_paths

This is a line spaced file for paths that are to be execluded from search results

/usr/local/maldetect/ignore_paths

ignore_sigs

This is a line spaced file for signatures that should be removed from file scanning

/usr/local/maldetect/ignore_sigs

ignore_inotify

This is a line spaced file for paths that are to be excluded from inotify monitoring

/usr/local/maldetect/ignore_inotify

Categories: Linux

How to configure NTP for EMC VNX Data Mover Zpanel Webalizer Stats Module fix