*** Last updated on 2019, August 1st. ***
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.
cd /usr/local/src wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxvf maldetect-current.tar.gz cd $(ls -1d maldetect-*/ | tail -1) ./install.sh
As soon as installation finishes you'll see something similar to:
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed
The file /etc/cron.daily/maldet does not need any modification for DirectAdmin compatibles any longer. They support DirectAdmin from a box already.
To scan all files in /home/ you should run it as following
maldet /home?/?/domains/?/public_html
or
maldet -b /home?/?/domains/?/public_html
in a background.
Please, consider that some PHP shells might still stay invisible for maldet. To reduce chances for malware to stay not-detected you might want to connect virus definitions from Malware.Experts using one of the following options:
Connect Virus Definitions from Malware.Experts (if you don't have ClamAV installed):
perl -pi -e 's#^import_custsigs_md5_url=.*#import_custsigs_md5_url="http://cdn.malware.expert/malware.expert.hdb"#' /usr/local/maldetect/conf.maldet
perl -pi -e 's#^import_custsigs_hex_url=.*#import_custsigs_hex_url="http://cdn.malware.expert/malware.expert.ndb"#' /usr/local/maldetect/conf.maldet
Update virus definition bases:
maldet -u
and control results with
ls -la /usr/local/maldetect/sigs/custom.*.dat
It's expected to see:
[root@server ~]# ls -la /usr/local/maldetect/sigs/custom.*.dat -rw-r--r-- 1 root root 135043 Aug 1 03:18 /usr/local/maldetect/sigs/custom.hex.dat -rw-r--r-- 1 root root 29852 Aug 1 03:18 /usr/local/maldetect/sigs/custom.md5.dat [root@server ~]#
Connect Virus Definitions from Malware.Experts (with ClamAV installed):
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf
Restart Freshclam:
service freshclam restart
control results with the help of the following command:
ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*