In my earlier article I’ve explained you all about how to protect Apache server from Malicious and DOS attacks using mod_security and mod_evasive. Now again I have come up with another great topic on Malware detector called LMD (Linux Malware Detect). In this article I will show you how to install and configure LMD in RHEL 6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 systems using source code.
Linux Malware Detect
What is Malware?
Malware is called malicious software, script or code which is created and used by hackers to retrieve information of private data or gain access to any private computer systems. Malware can be trojans, viruses, spyware, adware, rootkits or any other malicious programs which can be very harmful to any computer user.
What is Linux Malware Detect (LMD)?
Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments. For more information and features visit at http://www.rfxn.com/projects/linux-malware-detect/.
Installing Linux Malware Detect (LMD) in RHEL, CentOS and Fedora
Step 1: Downloading Linux Malware Detect (LMD)
Downloading latest LMD package using following wget command.
# cd /tmp # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Step 2: Installing LMD
Installation and Configuration of LMD is a bit easy task, just follow below steps as root user.
# tar xfz maldetect-current.tar.gz # cd maldetect-* # ./install.sh
Sample Output
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)Step 3: Configuring LMD
By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.
- email_alert : If you would like to receive email alerts, then it should be set to 1.
- email_subj : Set your email subject here.
- email_addr : Add your email address to receive malware alerts.
- quar_hits : The default quarantine action for malware hits, it should be set 1.
- quar_clean : Cleaing detected malware injections, must set to 1.
- quar_susp : The default suspend action for users wih hits, set it as per your requirements.
- quar_susp_minuid : Minimum userid that can be suspended.
Open file /usr/local/maldetect/conf.maldet and make changes according to your needs.
# vi /usr/local/maldetect/conf.maldet
Sample Configuration
Here is the my sample configuration file.
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=1 # The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="tecmint.com@gmail.com" # Ignore e-mail alerts for reports in which all hits have been cleaned. # This is ideal on very busy servers where cleaned hits can drown out # other more actionable reports. email_ignore_clean=0 ## # [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=1 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1 # The default suspend action for users wih hits # Cpanel suspend or set shell /bin/false on non-Cpanel # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = suspend account] quar_susp=0 # minimum userid that can be suspended quar_susp_minuid=500
Step 4: Manual Scans and Usage
If you would like to scan user’s Home directory, then simply issue following command.
# maldet --scan-all /home
You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.
# maldet --quarantine SCANID OR # maldet --clean SCANID
Step 5: Daily Scans
By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.
# vi /etc/cron.daily/maldet
If you like this article, please share with your friends and do leave comments.
Loading ...
Hi Ravi
I have a dedicated server which is infected with eval64 string I need some pro help to use LMD in my server.Please pm me if you have some pro service for server security.
regards
@rft – Yes, We have pro service where we clean up all malware codes from the server. Please contact us for more details.
Hi and great read! I installed it right away because my system was acting strangely. While I was online it seemed my HD was cycling like mad! I ran “top” in Konsole to see what was going on, but it all seemed normal, except for systemd which was running tons of stuff, which I thought was probably norm, but not sure, so I did a search for “malware proggy” for Linux (I use Fedora) and found this great post.
I do have a question. I tried everything exactly as you wrote, but I got this back when I tried the step 2 after the scan (the clean/quarrantine part):
maldet(21913): {clean} invalid SCANID, aborting.
Now, I had no viruses detected, but now I am wondering; now that I have this installed, does it just “run daily” on it’s own? Does it turn on when I boot up or what? I did see that script you mentioned right where you said it was, and I looked at it, but it being a rather involved bit of script I didn’t touch it!
Email me for any info you can provide and thanks again. I am off to read the other posts that popped up in the ‘You Might Also Like’ window! my email is coded below:
c|-|in/-\ “D0t” /\/\ike “/-\t” h0t/\/\ai|_ “D0t” c0/\/\”
@ China Mike – If you have used my script with cron enabled, as i mentioned above, The cron will run the script every day and send the scan report to your mail. It’s really good idea to have script in place for scanning system for malware detection.
Hi,
i had installed LMD as you mentioned above. i can’t able to execute the step 4.
Getting the following output. Please assist
eg :
[root@ip-182-50-142-53 maldetect-1.4.1]# maldet –scan-all /home
bash: maldet: command not found
@Mathan,
On Which version Of OS you have installed it, Can you post the output of the command “sh install.sh”.
@Ravi
Linux ip———————-.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24 19:50:48 MSD 2012 i686 i686 i386 GNU/Linux
Hi Ravi – thanks for a very well-written article – short and informative. Look forward to reading more of the same on this site!
I have recently run a scan and got the following results
the infected file: May 15 2010 /usr/local/maldetect/clean/gzbase64.inject.unclassed
is the only file foud yet this is in this softwares directory; why is this?
SCAN ID: 022013-1905.7282
TIME: Feb 20 19:59:07 +0000
PATH: /
TOTAL FILES: 37613
TOTAL HITS: 1
TOTAL CLEANED: 0
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 022013-1905.7282
FILE HIT LIST:
{MD5}gzbase64.inject.unclassed.599 : /installations/maldetect-1.4.1/files/clean/gzbase64.inject.unclassed
Yes! this is the only file infected, you can delete those files and rescan again.
When I try to run .install.sh I get the following response on my Centos server:
-bash: ./install.sh: /bin/bash: bad interpreter: Permission denied
Set execute permission to install.sh file and run again. If you still getting error then you need to check your /etc/fstab file and set ‘exec’ flag to specific device.
Thanks you. Great tool!!
Hi Ravi,
I would like to know whether this software will support my Redhat Enterprise 64 bit OS release 6.3 (santiago) or not? I installed Apache on this server and is on DMZ zone. iptables are enabled on it. but SeLiux is disabled? Please help me with an answer?
thanks,
Usha.
Hi Usha,
Yes it will work on your RHEL 6.3. Go ahead and install it. If you’ve face any problem do let me know..
Hi Ravi,
Thank you for your article. i have questions: Do you recommend to scan an other repertory than HOME ? and what about maldet updates. the author is saying “Updates to the release version of LMD are not automatically installed but can
be installed using the –update-ver option.” How often are you updating Maldet ?
thx
You can scan any drive or directory, just mention the path..I never yet try the command that you advising me to update. I do try it and let you know..
Hi techmint,
Could you update for a newbie how to to uninstall maldet. Some php shells are able to be hidden with malde.
Simply find the location of maldet installation and remove that directory. thats it.
H Ravie,
How do i scan file types using maldet, for example i want to scan all *.php, *.html files in server what is the command ??
Yes, you can scan php or html files using the command as.
Hi Ravi,
First, thank you for the usefull information, and second, how can I recursively scan a user home directory? I would like a user home that have 38,000 files and directories and when I try to run the maldet only show me 15348.
Thanks a lot
Hi i run LMD in my server and found 21 malware. When i quarintined them one of my websites do not load http://www.profilmedia.gr , but i can login to administrator.
What should i do?
Dear Ravi,
I installed LMD in my dedicated server and it detected 21 malware which i removed them. However one of my websites does not load the front end ..only the administrator loads.
What should i do?
might be front end index file gets affected and its removed by LMD. Please upload backup of index file if you have.
Hi!, Im trying to install but Im getting the Bad Interpreter error. I have assigned 755 permission to instal.sh but am still getting the error. I checked /etc/fstab file but im not sure what exactly you mean by “set EXEC to specific device”. Can you please help me out here?
Do you have needed shell installed? Because each shell script has its own default interpreter. Run the following command to verify that you have /bin/sh installed on your system. If not, install it.
Hi Ravi ,
Please let me know how can I configure it to get mails if I have clean report or hit=0 ,
through command line
Add your email address in maldet configuration file to receive scan reports or alerts.