Linux Malware Detect

Installing Linux Malware Detect on CentOS 6

I’m going to show you in few step how to install the LMD on your linux server.

What is Malware? well, Malware is short for malicious software, such as a virus, which is specifically designed to disrupt or damage your computer system.

What is LMD? Linux Malware Detect (LMD) is an open-source malware scanner that runs under various flavours of Linux, distributed under the GPL2 license.

Downloading LMD:

You can either use your user home directory or tmp folder for installation files.

cd ~

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Installing LMD

tar xfz maldetect-current.tar.gz

cd maldetect-*

./install.sh

The first command unpacks the archive.  The second changes the folder to the unpacked archive and the third command runs the install script. You may come across a “permission denied” message when running the install script. If this happens do the following

chmod +x ./install.sh

su root ./install.sh

This adds execution privs to the install script and runs it explicitly under the root user.  The install script will only take a few seconds to run.  Here’s a sample of what you will see in your bash shell.

Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

Configuring LMD

From the installation output you can see that LMD has been installed into the folder /usr/local/maldetect and that’s where the conf.maldet configuration file exists, so go there and edit the file using the NANO editor.

nano /usr/local/maldetect/conf.maldet

The settings are pretty straight forward and well commented.  The first setting you’ll want to change is the email alert address email_alert to your own address.  There are also options to automatically quarantine suspicious files and suspect cPanel account which contain detected malicious code.  Here’s a sample of settings from the configuration file:

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="webmaster@mydomain.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

Run a manual scan

Now that LMD is installed on your Server it’s probably a good idea to run a manual scan to see if there are any issues.

maldet --scan-all /home

Execution time for the scan will of course depend on how many files you have on your Server and at the end you will receive a report telling you how many files were scanned, issues detected and files quarantined.  This is also a good time to check that you received the email alert.

If you hadn’t turned on quarantining and your script detected issues, you can still quarantine those files using the SCAN ID associated with the report.

maldet --quarantine SCANID

maldet --clean SCANID

Daily Scans

The installation script creates a daily cron job file maldet in the /etc/cron.daily folder.  This daily cron job scans the computer, installs updates and malware signatures, quarantines suspicious files and sends out the email alert.  If you need any additional folders to be scanned, add them into this cron job script

nano /etc/cron.daily/maldet

Update

If you want you can also update it manually:

maldet --update-ver

Above you see how you can update to the latest version of malware detect using the —update-ver parameter. We can also update the signatures ourselves:

maldet --update

Using the –update parameter you can get the latest signatures.

Linux Malware Detect
Linux Malware Detect