How to install Malware Detect on Linux

Linux Malware Detect (LMD) is a malware scanner that will scan, detect and remove malware on your Linux server. It is especially great for webservers that are used for shared hosting since that’s where you might find many old and outdated scripts that could get infected. I implement malware detect on every webserver that I install.

LMD uses MD5 file hashes and HEX pattern matches as signatures. These signatures are built from malware data that was delivered by IPSes, community data, ClamAV and user submissions. In this lesson I want to show you how to install LMD..

Let’s start by downloading the latest version and install LMD:

[root@VPS1 ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2013-04-18 20:49:53--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com... 129.121.132.46
Connecting to www.rfxn.com|129.121.132.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 811434 (792K) [application/x-gzip]
Saving to: “maldetect-current.tar.gz”

100%[======================================>] 811,434     1.08M/s   in 0.7s    

2013-04-18 20:49:54 (1.08 MB/s) - “maldetect-current.tar.gz” saved [811434/811434] 

Let’s extract it now:

[root@VPS1 ~]# tar -xzvf maldetect-current.tar.gz

Once it’s done

[root@VPS1 ~]# cd maldetect-1.4.2
[root@VPS1 maldetect-1.4.2]# ./install.sh 
Linux Malware Detect v1.4.1
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(10805): {sigup} performing signature update check...
maldet(10805): {sigup} local signature set is version 201205035915
maldet(10805): {sigup} new signature set (2013041816820) available
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(10805): {sigup} signature set update completed
maldet(10805): {sigup} 11203 signatures (9335 MD5 / 1868 HEX)

LMD will install itself in the folder you see above and update itself so it has the latest signatures. It also installs a cron script so that it automatically updates itself in the future and to scan certain folders for malware. If you want you can also update it manually:

[root@VPS1 ~]# maldet --update-ver
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11341): {update} checking for available updates...
maldet(11341): {update} hashing install files and checking against server...
maldet(11341): {update} latest version already installed.

Above you see how you can update to the latest version of malware detect using the –update-ver parameter. We can also update the signatures ourselves:

[root@VPS1 ~]# maldet --update
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11417): {sigup} performing signature update check...
maldet(11417): {sigup} local signature set is version 2013041816820
maldet(11417): {sigup} latest signature set already installed

Using the update parameter you can get the latest signatures. This is how you can scan a certain folder:

[root@VPS1 ~]# maldet -a /var/www/vhosts/some-website-you-dont-trust.com/httpdocs/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11525): {scan} signatures loaded: 11203 (9335 MD5 / 1868 HEX)
maldet(11525): {scan} building file list for /var/www/vhosts/some-website-you-dont-trust.com/httpdocs/, this might take awhile...
maldet(11525): {scan} file list completed, found 7292 files...
maldet(11525): {scan} 51/7292 files scanned: 0 hits 0 cleaned

Run maldet -a to scan a certain folder. It will report any malware that it detects.

It’s also possible to receive an e-mail notification when LMD detects malware, if you want this you have to edit the conf.maldet file:

[root@VPS1 ~]# vim /usr/local/maldetect/conf.maldet

This is the section that you should edit:

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=0

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="you@domain.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

Change email_alert to 1 and enter your e-mail address. Last but not least let’s take a look at the script that LMD copied to the cron.daily folder:

[root@VPS1 ~]# vim /etc/cron.daily/maldet
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi

        # scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
        fi
fi

Basically this script deletes its temporary files, checks for a new version, updates it signature files and scans a number of files. The folder structures for the most popular systems have been added like Ensim, Plesk, DirectAdmin, Cpanel, Interworx, etc.

Once LMD has detected some malware this is what you will receive in your inbox:

malware detect scan report for VPS1.MYWEBSERVER.LOCAL:
SCAN ID: 030213-0405.22001
TIME: Mar  2 04:06:08 +0100
PATH: /var/www/vhosts/*/httpdocs
RANGE: 2 days
TOTAL FILES: 2909
TOTAL HITS: 1
TOTAL CLEANED: 0

FILE HIT LIST:
{CAV}PHP.Hide : /var/www/vhosts/malwarewebsite.com/httpdocs/images/stories/imageshoot.gif => /usr/local/maldetect/quarantine/imageshoot.gif.19815
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

LMD will move the malware infected files to the quarantine folder or clean them. Now you can notify the webmaster so that he/she can clean the website and update all installed scripts to the latest versions.

I hope this lesson has been useful to you, if you have any questions or recommendations to protect your linux server(s) feel free to leave a comment in our forum!

Forum Replies

  1. hi,

    i try to install maldet, but i have error:
    could not find required binary wget, aborting.

    Any Idea?

  2. Hi Bobby,

    Sounds like you don’t have wget installed? This is the error that maldet throws at you when it can’t find wget.

    Rene

  3. Hi,

    Thx for this useful tut !

  4. Hi Rene,
    I would like to add a Linux server to my lab and would like to know which distro you recommend the most with Cisco.

    Thanks in advance.

  5. Hi Wisam,

    There’s not really a distribution that works well in combination with Cisco devices (it doesn’t matter what you use). I prefer Ubuntu Server (Long Term Support version) or CentOS.

    Rene

1 more reply! Ask a question or join the discussion by visiting our Community Forum