DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Linux Malware Detect on Directadmin Powered server

| 13:10:06 04.10.2012

*** Last updated on 2019, August 1st. ***

Description

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Installation

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd $(ls -1d maldetect-*/ | tail -1)
./install.sh

As soon as installation finishes you'll see something similar to:

Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed

Running as cron job

The file /etc/cron.daily/maldet does not need any modification for DirectAdmin compatibles any longer. They support DirectAdmin from a box already.

Manual scanning

To scan all files in /home/ you should run it as following

maldet /home?/?/domains/?/public_html

or

maldet -b /home?/?/domains/?/public_html 

in a background.

Please, consider that some PHP shells might still stay invisible for maldet. To reduce chances for malware to stay not-detected you might want to connect virus definitions from Malware.Experts using one of the following options:

Maldet w/out ClamAV

Connect Virus Definitions from Malware.Experts (if you don't have ClamAV installed):

perl -pi -e 's#^import_custsigs_md5_url=.*#import_custsigs_md5_url="http://cdn.malware.expert/malware.expert.hdb"#' /usr/local/maldetect/conf.maldet
perl -pi -e 's#^import_custsigs_hex_url=.*#import_custsigs_hex_url="http://cdn.malware.expert/malware.expert.ndb"#' /usr/local/maldetect/conf.maldet

Update virus definition bases:

maldet -u

and control results with

ls -la /usr/local/maldetect/sigs/custom.*.dat

It's expected to see:

[root@server ~]# ls -la /usr/local/maldetect/sigs/custom.*.dat
-rw-r--r-- 1 root root 135043 Aug  1 03:18 /usr/local/maldetect/sigs/custom.hex.dat
-rw-r--r-- 1 root root  29852 Aug  1 03:18 /usr/local/maldetect/sigs/custom.md5.dat
[root@server ~]#

Maldet with ClamAV

Connect Virus Definitions from Malware.Experts (with ClamAV installed):

echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf

Restart Freshclam:

service freshclam restart

control results with the help of the following command:

ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*


The maldet website

http://www.rfxn.com/projects/linux-malware-detect/

About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition