Malware on Linux Server (Maldet)

There are so many new malware coming every day and these reside mostly in user level files which are not checked by most of the common antivirus software that mainly focus on server level vulnerabilities.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Installation and Configuration

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzvf maldetect-current.tar.gz
# cd maldetect-*
# sh install.sh

The main configuration file for malware detecting is located at below path :

/usr/local/maldetect/conf.maldet
The main cron is located at /etc/cron.daily/maldet

There are three ignore files available in LMD , below are their paths and usage details :

/usr/local/maldetect/ignore_paths
This is a line spaced file for paths that are to be execluded from search results

/usr/local/maldetect/ignore_sigs
This is a line spaced file for signatures that should be removed from file scanning

/usr/local/maldetect/ignore_inotify
This is a line spaced file for paths that are to be excluded from inotify monitoring

The main configuration file is fully commented so you can easily make setup most options by looking at the comments, below are some main options that you should set :

email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.

email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.

quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.

Manual Scan and real-time monitoring
If you are looking to scan all the public_html directories for all the users on the server then you can achieve this using below command :

maldet –scan-all /home?/?/public_html
Note : Please note that LMD use ‘?’ as wild card instead of ‘*’ , thus the use of ’?’ in above command.

There are more options like –scan-recent which you can use to scan only recent files/changes and you have the option to mention number of days at the end of command which helps you scan for a recent time period.

You can initiate to monitoring for any user account as follows :

maldet –monitor /home/mike

The monitoring will continue to run in background and the resultant logs will be reported in below log file :

/usr/local/maldetect/inotify/inotify_log

The daily scans through cron
The cronjob which is installed by LMD is located at path /etc/cron.daily/maldet as I mentioned earlier in the post and this cron is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.

February 24, 2013 - Posted by rxts | Linux