How to Install and Configure maldet

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

To install LMD, download the package and run the enclosed install.sh script

Download maldetect package using wget

root@server[~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the package and install it

root@server[~]# tar xfz maldetect-current.tar.gz
root@server[~]# cd maldetect-*
root@server[~]# ./install.sh

Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks 
            (C) 2011, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(5206): {sigup} performing signature update check...
maldet(5206): {sigup} local signature set is version 201205035915
maldet(5206): {sigup} latest signature set already installed

Now that LMD is installed, you need to open the configuration file located at /usr/local/maldetect/conf.maldet (with your favorite editor ie vi,nano etc ). The configuration file is fully commented so you should be able to make out most options but lets take a moment to review the more important ones anyways.

email_alert

This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.

email_addr

This is a comma spaced list of e-mail addresses that should receive alerts.

quar_hits

This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean

This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp

Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid

This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.

Usage & Manual Scans

The usage of LMD is very simple and there is a detailed –help output that provides common usage examples, I strongly recommend you check the –help output and spend a few minutes reviewing it.

The first thing most users are looking to do when they get LMD installed is to scan a certain path or series of paths.

[An important note is that LMD uses the ‘?’ character for wildcards instead of the ‘*’ char.]

In the below examples I will be using the long form flags but they are interchangeable with the short form flags (i.e: –scan-recent vs. -r).

If we wanted to scan all user public_html paths under /home*/ this can be done with:

root@server[~]# maldet –scan-all /home?/?/public_html

If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run:

root@server[~]# maldet –scan-recent /home?/?/public_html 5

If you performed a scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

root@server[~]# maldet –quarantine SCANID

Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:

root@server[~]# maldet –clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

root@server[~]# maldet –restore config.php.2384
root@server[~]# maldet –restore /usr/local/maldetect/quarantine/config.php.2384

Once again, I encourage you to fully review the –help output for details on all options and the README file for more details on how LMD operates.

You can also do the Daily scan by seetting the cron :-

Daily Scans

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports Ensim virtual roots or standard Linux /home*/user paths, such as Cpanel. The default is to just scan the web roots daily, which breaks down as /home*/*/public_html or on Ensim /home/virtual/*/fst/var/www/html and /home/virtual/*/fst/home/*/public_html.

Leave a comment