Want to subscribe to topics you're interested in?
Become a Member

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod already has an official Addon for AVG Anti-Virus for Linux to manually scan for viruses and malware on Linux servers at Centmin Mod Addons for Menu based Nginx installer for CentOS servers and it's very fast for scanning but doesn't detect all malware out there. Linux Malware Detect (maldet) on the other hand is much slower up to 50x times slower than AVG for scanning but much faster when paired with ClamAV now (see below) can pickup more malware variants out there Linux Malware Detect | R-fx Networks and unlike AVG has automatic cronjobs set for daily scanning and daily definition updates while AVG is manual scanning and definition updates only.

    Update July 9, 2018: Posted a dedicated thread to extending and running Maldet and ClamAV scanning signatures Error | Centmin Mod Community Support Forums :)

    Update: vBulletin forum users should not use Maldet as vB code has alot of evals in it that can cause Maldet to report and quarantine false positive malware explained here.

    Update: for Centmin Mod maldet.sh addon auto installer, check 5th post.

    Updated: March 15th, 2015: Added a How to install Centmin Mod maldet.sh addon video for .08 beta releases :)



    Links
    I'm going to make an official Centmin Mod Addon for Linux Malware Detect (maldet), but for now here's how to manually install Linux Malware Detect on Centmin Mod servers. Update: for Centmin Mod maldet.sh addon auto installer, check 5th post.

    Code:
    cd /svr-setup
    wget -cnv http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar xfz maldetect-current.tar.gz
    cd maldetect-*
    ./install.sh
    

    Maldet Configuration Changes



    CentOS 7 and/or newer Maldet versions may have setting names changed Maldet - Linux Malware Detect Addon (discussion) that differ from below guide. For example quar_hits=1 might be named quarantine_hits="1" etc.

    Maldet Configuration



    After install make sure to edit maldet config file at /usr/local/maldetect/conf.maldet and add your email address so you get email notifications for malware detected during maldet scans.

    Set email_alert=1 to enable email alerts and set email_addr with comma separated list of email addresses to send alerts to. If you want you can also setup push notifications to your mobile device by signing up with Pushover: Simple Notifications for Android, iOS, and Desktop and setting up an mobile device name where you can send email to:

    You may also want to enable automatic quarantine of detected malware setting quar_hits=1

    Code:
    # [ EMAIL ALERTS ]
    ##
    # The default email alert toggle
    # [0 = disabled, 1 = enabled]
    email_alert=1
    
    # The subject line for email alerts
    email_subj="maldet alert from $(hostname)"
    
    # The destination addresses for email alerts
    # [ values are comma (,) spaced ]
    email_addr="you@domain.com,youruserkey+devicename+p1@api.pushover.net"
    
    # Ignore e-mail alerts for reports in which all hits have been cleaned.
    # This is ideal on very busy servers where cleaned hits can drown out
    # other more actionable reports.
    email_ignore_clean=0
    
    ##
    # [ QUARANTINE OPTIONS ]
    ##
    # The default quarantine action for malware hits
    # [0 = alert only, 1 = move to quarantine & alert]
    quar_hits=1
    
    # Try to clean string based malware injections
    # [NOTE: quar_hits=1 required]
    # [0 = disabled, 1 = clean]
    quar_clean=1
    
    # The default suspend action for users wih hits
    # Cpanel suspend or set shell /bin/false on non-Cpanel
    # [NOTE: quar_hits=1 required]
    # [0 = disabled, 1 = suspend account]
    quar_susp=0
    # minimum userid that can be suspended
    quar_susp_minuid=500
    The install.sh output would look something like this and also show the paths to the maildet config file at /usr/local/maldetect/conf.maldet and cron.daily at /etc/cron.daily/maldet
    Code:
    ./install.sh
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL
    
    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    
    /usr/local/maldetect/maldet: line 255: [: : integer expression expected
    maldet(8327): {sigup} performing signature update check...
    maldet(8327): {sigup} local signature set is version 201205035915
    maldet(8327): {sigup} new signature set (2014061517666) available
    maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
    maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
    maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
    maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
    maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
    maldet(8327): {sigup} signature set update completed
    maldet(8327): {sigup} 11760 signatures (9871 MD5 / 1889 HEX)
    The cron.daily/maldet file is a shell script listing which paths for maldet to scan daily and supports commonly used control panel's templated paths and looks like this
    Code:
    #!/bin/bash
    export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
    
    # sleep for random value to give upstream a bit of headroom
    sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
    
    # clear quarantine/session/tmp data every 14 days
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1
    
    # check for new release version
    /usr/local/maldetect/maldet -d >> /dev/null 2>&1
    
    # check for new definition set
    /usr/local/maldetect/maldet -u >> /dev/null 2>&1
    
    # if were running inotify monitoring, send daily hit summary
    if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
            /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
    else
            # scan the last 2 days of file changes
            if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                    # ensim
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
            elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                    # psa
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
            elif [ -d "/usr/local/directadmin" ]; then
                    # DirectAdmin
                    /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
            else
                    # cpanel, interworx and other standard home/user/public_html setups
                    /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
            fi
    
            # scan default apache docroot paths
            if [ -d "/var/www/html" ]; then
                    /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
            fi
            if [ -d "/usr/local/apache/htdocs" ]; then
                    /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
            fi
    fi
    We need to tweak the the cron.daily/maldet to add Centmin Mod Nginx's VHOST default template setup paths at /home/nginx/domains/domainname.com/public_html by typing the below to append to existing configuration
    Code:
    sed -i '/\/home?\/?\/public_html/ a\                \/usr\/local\/maldetect\/maldet -b -r \/home\/nginx\/domains\/?\/public 2 >> \/dev\/null 2>&1' /etc/cron.daily/maldet
    sed -i '/\/home?\/?\/public_html/ a\                \/usr\/local\/maldetect\/maldet -b -r \/usr\/local\/nginx\/html 2 >> \/dev\/null 2>&1' /etc/cron.daily/maldet
    
    Once command is run, you will see an additional 2 lines appended to cron.daily/maldet to scan Centmin Mod Nginx's vhost paths
    Code:
                    /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /usr/local/nginx/html 2 >> /dev/null 2>&1
    
    full appended cron.daily/maldet file below
    Code:
    #!/bin/bash
    export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
    
    # sleep for random value to give upstream a bit of headroom
    sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
    
    # clear quarantine/session/tmp data every 14 days
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
    /usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1
    
    # check for new release version
    /usr/local/maldetect/maldet -d >> /dev/null 2>&1
    
    # check for new definition set
    /usr/local/maldetect/maldet -u >> /dev/null 2>&1
    
    # if were running inotify monitoring, send daily hit summary
    if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
            /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
    else
            # scan the last 2 days of file changes
            if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                    # ensim
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
            elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                    # psa
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
            elif [ -d "/usr/local/directadmin" ]; then
                    # DirectAdmin
                    /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
            else
                    # cpanel, interworx and other standard home/user/public_html setups
                    /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public 2 >> /dev/null 2>&1
                    /usr/local/maldetect/maldet -b -r /usr/local/nginx/html 2 >> /dev/null 2>&1
            fi
    
            # scan default apache docroot paths
            if [ -d "/var/www/html" ]; then
                    /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
            fi
            if [ -d "/usr/local/apache/htdocs" ]; then
                    /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
            fi
    fi
    Sample manual maldet background scan

    Code:
    /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public
    
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(8847): {scan} launching scan of /home/nginx/domains/?/public changes in last 7d to background, see /usr/local/maldetect/event_log for progress
    
    checking the maldetect event_log
    Code:
    cat /usr/local/maldetect/event_log
    Jul 14 07:07:47 centos7 maldet(8327): {sigup} performing signature update check...
    Jul 14 07:07:47 centos7 maldet(8327): {sigup} local signature set is version 201205035915
    Jul 14 07:07:47 centos7 maldet(8327): {sigup} new signature set (2014061517666) available
    Jul 14 07:07:51 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
    Jul 14 07:07:54 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
    Jul 14 07:07:56 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
    Jul 14 07:08:00 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
    Jul 14 07:08:00 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
    Jul 14 07:08:00 centos7 maldet(8327): {sigup} signature set update completed
    Jul 14 07:08:00 centos7 maldet(8327): {sigup} 11760 signatures (9871 MD5 / 1889 HEX)
    Jul 14 07:27:09 centos7 maldet(8567): {scan} launching scan of /home?/?/public_html changes in last 7d to background, see /usr/local/maldetect/event_log for progress
    Jul 14 07:27:09 centos7 maldet(8567): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX)
    Jul 14 07:27:09 centos7 maldet(8567): {scan} building file list for /home*/*/public_html of new/modified files from last 7 days, this might take awhile...
    Jul 14 07:27:09 centos7 maldet(8567): {scan} file list completed, found 1 files...
    Jul 14 07:27:10 centos7 maldet(8567): {scan} scan completed on /home*/*/public_html: files 1, malware hits 0, cleaned hits 0
    Jul 14 07:27:10 centos7 maldet(8567): {scan} scan report saved, to view run: maldet --report 071414-0727.8567
    Jul 14 07:47:17 centos7 maldet(8847): {scan} launching scan of /home/nginx/domains/?/public changes in last 7d to background, see /usr/local/maldetect/event_log for progress
    Jul 14 07:47:17 centos7 maldet(8847): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX)
    Jul 14 07:47:17 centos7 maldet(8847): {scan} building file list for /home/nginx/domains/*/public of new/modified files from last 7 days, this might take awhile...
    Jul 14 07:47:17 centos7 maldet(8847): {scan} file list completed, found 10 files...
    Jul 14 07:47:19 centos7 maldet(8847): {scan} scan completed on /home/nginx/domains/*/public: files 10, malware hits 0, cleaned hits 0
    Jul 14 07:47:19 centos7 maldet(8847): {scan} scan report saved, to view run: maldet --report 071414-0747.8847
    
    checking the report itself
    Code:
    maldet --report 071414-0747.8847
    
    malware detect scan report for centos7.localdomain:
    SCAN ID: 071414-0747.8847
    TIME: Jul 14 07:47:19 +0000
    PATH: /home/nginx/domains/*/public
    RANGE: 7 days
    TOTAL FILES: 10
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    
    As stated above, AVG Antivirus for Linux Centmin Mod Addons for Menu based Nginx installer for CentOS servers has much faster scan speed but requires manual update and scan runs and not as wider malware definition/detection compared to Linux Malware Detect (maldet). So sometimes installing both compliments each other :)



    Linux Malware Detect (maldet) + ClamAV Scanning Engine


    Update: Speed up Maldet scanning by installing ClamAV Antivirus scanner to speed up scanning. In /usr/local/maldetect/conf.maldet config file there is a setting that auto detects if ClamAV is installed Clam AntiVirus and uses ClamAV scan engine for up to 4x times faster scanning.

    Code:
    # Attempt to detect the presence of ClamAV clamscan binary
    # and use as default scanner engine; up to four times faster
    # scan performance and superior hex analysis. This option
    # only uses ClamAV as the scanner engine, LMD signatures
    # are still the basis for detecting threats.
    # [ 0 = disabled, 1 = enabled; enabled by default ]
    clamav_scan=1
    To install ClamAV Anti Virus do the following steps to install via YUM, start clamd service, ensure it restarts on reboot and run freshclam command to update the definitions for ClamAV.

    Code:
    yum -y install clamav clamd
    /etc/init.d/clamd start
    chkconfig clamd on
    freshclam
    For manual ClamAV scanning, invoke clamscan command. It's help options:

    Code:
    clamscan -h
                           Clam AntiVirus Scanner 0.98.4
               By The ClamAV Team: http://www.clamav.net/team
               (C) 2007-2009 Sourcefire, Inc.
        --help                -h             Print this help screen
        --version             -V             Print version number
        --verbose             -v             Be verbose
        --archive-verbose     -a             Show filenames inside scanned archives
        --debug                              Enable libclamav's debug messages
        --quiet                              Only output error messages
        --stdout                             Write to stdout instead of stderr
        --no-summary                         Disable summary at end of scanning
        --infected            -i             Only print infected files
        --suppress-ok-results -o             Skip printing OK files
        --bell                               Sound bell on virus detection
        --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
        --leave-temps[=yes/no(*)]            Do not remove temporary files
        --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load
                                             all supported db files from DIR
        --official-db-only[=yes/no(*)]       Only load official signatures
        --log=FILE            -l FILE        Save scan report to FILE
        --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
        --allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
        --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
        --follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
        --follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
        --file-list=FILE      -f FILE        Scan files from FILE
        --remove[=yes/no(*)]                 Remove infected files. Be careful!
        --move=DIRECTORY                     Move infected files into DIRECTORY
        --copy=DIRECTORY                     Copy infected files into DIRECTORY
        --exclude=REGEX                      Don't scan file names matching REGEX
        --exclude-dir=REGEX                  Don't scan directories matching REGEX
        --include=REGEX                      Only scan file names matching REGEX
        --include-dir=REGEX                  Only scan directories matching REGEX
        --bytecode[=yes(*)/no]               Load bytecode from the database
        --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
        --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
        --bytecode-statistics[=yes/no(*)]    Collect and print bytecode statistics
        --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
        --exclude-pua=CAT                    Skip PUA sigs of category CAT
        --include-pua=CAT                    Load PUA sigs of category CAT
        --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
        --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
        --structured-ssn-count=N             Min SSN count to generate a detect
        --structured-cc-count=N              Min CC count to generate a detect
        --scan-mail[=yes(*)/no]              Scan mail files
        --phishing-sigs[=yes(*)/no]          Signature-based phishing detection
        --phishing-scan-urls[=yes(*)/no]     URL-based phishing detection
        --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
        --phishing-ssl[=yes/no(*)]           Always block SSL mismatches in URLs (phishing module)
        --phishing-cloak[=yes/no(*)]         Always block cloaked URLs (phishing module)
        --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.
        --algorithmic-detection[=yes(*)/no]  Algorithmic detection
        --scan-pe[=yes(*)/no]                Scan PE files
        --scan-elf[=yes(*)/no]               Scan ELF files
        --scan-ole2[=yes(*)/no]              Scan OLE2 containers
        --scan-pdf[=yes(*)/no]               Scan PDF files
        --scan-swf[=yes(*)/no]               Scan SWF files
        --scan-html[=yes(*)/no]              Scan HTML files
        --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
        --detect-broken[=yes/no(*)]          Try to detect broken executable files
        --block-encrypted[=yes/no(*)]        Block encrypted archives
        --nocerts                            Disable authenticode certificate chain verification in PE files
        --dumpcerts                          Dump authenticode certificate chain in PE files
        --max-filesize=#n                    Files larger than this will be skipped and assumed clean
        --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
        --max-files=#n                       The maximum number of files to scan for each container file (**)
        --max-recursion=#n                   Maximum archive recursion level for container file (**)
        --max-dir-recursion=#n               Maximum directory recursion level
        --max-embeddedpe=#n                  Maximum size file to check for embedded PE
        --max-htmlnormalize=#n               Maximum size of HTML file to normalize
        --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
        --max-scriptnormalize=#n             Maximum size of script file to normalize
        --max-ziptypercg=#n                  Maximum size zip to type reanalyze
        --max-partitions=#n                  Maximum number of partitions in disk image to be scanned
        --max-iconspe=#n                     Maximum number of icons in PE file to be scanned
        --enable-stats                       Enable statistical reporting of malware
        --disable-pe-stats                   Disable submission of individual PE sections in stats submissions
        --stats-timeout=#n                   Number of seconds to wait for waiting a response back from the stats server
        --stats-host-id=UUID                 Set the Host ID used when submitting statistical info.
    (*) Default scan settings
    (**) Certain files (e.g. documents, archives, etc.) may in turn contain other
       files inside. The above options ensure safe processing of this kind of data.
    Two clamscan examples, one for -i infected only reports and one without (more verbose).
    Code:
    clamscan -i -r /home/nginx/domains/demodomain.com/
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 3501466
    Engine version: 0.98.4
    Scanned directories: 5
    Scanned files: 9
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 17.927 sec (0 m 17 s)
    
    Code:
    clamscan -r /home/nginx/domains/demodomain.com/
    
    /home/nginx/domains/demodomain.com/public/index.html: OK
    /home/nginx/domains/demodomain.com/public/403.html: OK
    /home/nginx/domains/demodomain.com/public/404.html: OK
    /home/nginx/domains/demodomain.com/public/500.html: OK
    /home/nginx/domains/demodomain.com/public/502.html: OK
    /home/nginx/domains/demodomain.com/public/503.html: OK
    /home/nginx/domains/demodomain.com/public/504.html: OK
    /home/nginx/domains/demodomain.com/public/50x.html: OK
    /home/nginx/domains/demodomain.com/public/maintenance.html: OK
    /home/nginx/domains/demodomain.com/log/access.log: Empty file
    /home/nginx/domains/demodomain.com/log/error.log: Empty file
    ----------- SCAN SUMMARY -----------
    Known viruses: 3501466
    Engine version: 0.98.4
    Scanned directories: 5
    Scanned files: 9
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 8.801 sec (0 m 8 s)
    Or just let Linux Malware Detect (maldet) do it's job utilising the ClamAV Scanning Engine :)
     
    Last edited: Sep 18, 2017
  2. Peter Downey

    Peter Downey Member

    64
    24
    8
    May 28, 2014
    Ratings:
    +27
    Local Time:
    3:33 AM
    Looks great. I'll have to give it a try.

    You mentioned that its much slower than avg, how hard is it on the CPU?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For cpu load, maldet is actually lighter than avg. AVG uses more cpu in parallel hence the speed :)

    i.e. for 180,000 file/directory scan
    • AVG = ~750 seconds
    • Maldet = ~24,000 seconds
    stats taken from real live example I posted on my 10 page blog article on cleaning up hacked vBulletin forums at http://vbtechsupport.com/2355/9/
     
    Last edited: Jul 17, 2014
  4. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated first post with details for Linux Malware Detect (maldet) + ClamAV Scanning Engine to speed up scanning times :D

    Wow, maldet + ClamAV is HEAPS faster !

    This is a scan on a site with 200,342 to 200,474 files to compare. Yes first maldet only scan picked up some malware while maldet + clamav didn't as I already cleaned that up from the first scan. But scan times are dramatically different.

    • maldet only = 632 minutes and 5.563s ! = 37,925.563 seconds
    • maldet + clamav = 1min 11.127s :eek: :D :cool: = 71.127 seconds ~533x times faster !
    maldet only

    Code:
    time maldet -a /home/nginx/domains/domain.com/public
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(29923): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX)
    maldet(29923): {scan} building file list for /home/nginx/domains/domain.com/public, this might take awhile...
    maldet(29923): {scan} file list completed, found 200342 files...
    maldet(29923): {scan} 200342/200342 files scanned: 8 hits 4 cleaned
    maldet(29923): {scan} scan completed on /home/nginx/domains/domain.com/public: files 200342, malware hits 8, cleaned hits 4
    maldet(29923): {scan} scan report saved, to view run: maldet --report 071614-1236.29923
    maldet(29923): {alert} sent scan report to you@domain.com,yourapikey+devicename+p1@api.pushover.net
    
    real    632m5.563s
    user    301m31.873s
    sys     359m12.706s
    maldet + clamav

    notice the line about finding ClamAV clamscan binary :)

    Code:
    maldet(11035): {scan} found ClamAV clamscan binary, using as scanner engine...
    Code:
    time maldet -a /home/nginx/domains/domain.com/public
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(11035): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX)
    maldet(11035): {scan} building file list for /home/nginx/domains/domain.com/public, this might take awhile...
    maldet(11035): {scan} file list completed, found 200474 files...
    maldet(11035): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(11035): {scan} scan of /home/nginx/domains/domain.com/public (200474 files) in progress...
    
    maldet(11035): {scan} scan completed on /home/nginx/domains/domain.com/public: files 200474, malware hits 0, cleaned hits 0
    maldet(11035): {scan} scan report saved, to view run: maldet --report 071914-1614.11035
    
    real    1m11.127s
    user    0m6.011s
    sys     0m5.319s
    with such a speed up, I might even make maldet + clamav a default installed menu based option for Centmin Mod instead of an addon :D
     
    Last edited: Jul 20, 2014
  5. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Okay first maldet.sh beta 0.0.1 release of addon install for maldet+clamav scanner for Centmin Mod users posted at centminmod/maldet.sh at 123.08centos7beta01 · centminmod/centminmod · GitHub Update: made some revisional changes at History for addons/maldet.sh - centminmod/centminmod · GitHub

    You'd need to fill in ALERTEMAIL='your@emailaddress.com' to get email alerts. The maldet.sh script should detect if ALERTEMAIL is empty and abort install until you fill in ALERTEMAIL variable.

    If you have a pushover.net account, you can also get mobile device push notifications for maldet detected malware hits/alerts by setting your pushover.net email i.e. youruserkey+devicename+p1@api.pushover.net and also configuring ALERT_POEMAIL='' variable in maldet.sh.

    Code:
    # enter email address you want alerts sent to
    # i.e. your@domain.com
    ALERTEMAIL=''
    
    # enter your pushover.net email you want alerts sent to
    # i.e. youruserkey+devicename+p1@api.pushover.net
    ALERT_POEMAIL=''
    Script detects if ALERTEMAIL is empty
    Code:
    ./maldet.sh
    CentOS / RHEL system detected
    
    ALERTEMAIL variable detected as empty
    edit ./maldet.sh and set an email address for ALERTEMAIL
    Then re-run the script ./maldet.sh
    To install maldet.sh

    change into addons directory
    Code:
    cd /usr/local/src/centminmod/addons
    
    then edit maldet.sh via nano or vim text editors i.e.
    Code:
    nano -w maldet.sh
    
    And enter ALERTEMAIL='' with your email address and if pushover.net notifications, set ALERT_POEMAIL='' hit CTRL+X to save and exit nano

    then run maldet.sh
    Code:
    ./maldet.sh
    
    DO this on a test VPS first and NOT a live production server as maldet.sh is beta right now.

    More conscious of malware as just cleaned up my sister's infected Windows 8 laptop - alot of malware/adware infections. Always good to keep yourself protected ;)
     
    Last edited: Apr 24, 2017
  6. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    8:33 AM
    1.5.15
    MariaDB 10.2
    Got Maldet and ClamAV running on both my servers now.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Awesome, would be interesting to see how fast maldet + clamscan is for your hardware :)

    Code:
    time maldet -a /home/nginx/domains/domain.com/public
     
  8. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    8:33 AM
    1.5.15
    MariaDB 10.2
    Code:
    [root@host ControllerPublic]# time maldet -a /home/nginx/domains/mattwservices.co.uk/public
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    /usr/local/sbin/maldet: line 255: [: : integer expression expected
    maldet(26626): {scan} signatures loaded: 11776 (9883 MD5 / 1893 HEX)
    maldet(26626): {scan} building file list for /home/nginx/domains/mattwservices.co.uk/public, this might take awhile...
    maldet(26626): {scan} file list completed, found 10904 files...
    maldet(26626): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(26626): {scan} scan of /home/nginx/domains/mattwservices.co.uk/public (10904 files) in progress...
    
    maldet(26626): {scan} scan completed on /home/nginx/domains/mattwservices.co.uk/public: files 10904, malware hits 0, cleaned hits 0
    maldet(26626): {scan} scan report saved, to view run: maldet --report 072714-1932.26626
    
    real    0m22.193s
    user    0m21.288s
    sys     0m0.512s
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice

    seems you got an error ? maybe in maldet conf ?

    Code:
    /usr/local/sbin/maldet: line 255: [: : integer expression expected
     
  10. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    8:33 AM
    1.5.15
    MariaDB 10.2
    That's the heartbleed check:
    Code:
    check_opensslheartbleed() {
    rpm=`which rpm 2> /dev/null`
    if [ "$rpm" ]; then
            check_openssl=`$rpm -q openssl | grep 1.0.1 | head -n1`
            goodrev="5.7"
            if [ "$check_openssl" ]; then
                    rev=`echo $check_openssl| grep 1.0.1 | sed -e 's/el6_/ /' -e 's/.x86_64/ /' -e 's/.i686/ /' | awk '{print$2}'`
                    if [ "$(echo $rev | tr -d '.')" -lt "$(echo $goodrev | tr -d '.')" ]; then
                            alert_heartbleed=1
                    fi
            fi
    fi
     
  11. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    8:33 AM
    1.5.15
    MariaDB 10.2
    Breaking it down:

    Code:
    [root@host tmp]# rpm -q openssl | grep 1.0.1 | head -n1
    openssl-1.0.1h-1.el6.x86_64
    [root@host tmp]# echo openssl-1.0.1h-1.el6.x86_64 | grep 1.0.1 | sed -e 's/el6_/ /' -e 's/.x86_64/ /' -e 's/.i686/ /' | awk '{print$2}'
    
    [root@host tmp]# 
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah returns empty for us :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Made a minor fix into the Gist hosted maldet.sh addon mentioned here as well as the one included in .08 beta addons/maldet.sh directory (actual commit). For to enable email alerts in the script - revisions shown at Revisions · maldet.sh

    last 7 days scan for just Centmin Mod web roots

    Code:
    /usr/local/maldetect/maldet -r /home/nginx/domains/?/public
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(16277): {scan} signatures loaded: 11788 (9895 MD5 / 1893 HEX)
    maldet(16277): {scan} building file list for /home/nginx/domains/*/public of new/modified files from last 7 days, this might take awhile...
    maldet(16277): {scan} file list completed, found 112 files...
    maldet(16277): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(16277): {scan} scan of /home/nginx/domains/*/public (112 files) in progress...
    
    maldet(16277): {scan} scan completed on /home/nginx/domains/*/public: files 112, malware hits 0, cleaned hits 0
    maldet(16277): {scan} scan report saved, to view run: maldet --report 092614-0045.16277
    Code:
    malware detect scan report for myhostname:
    SCAN ID: 092614-0045.16277
    TIME: Sep 26 00:45:48 +0000
    PATH: /home/nginx/domains/*/public
    RANGE: 7 days
    TOTAL FILES: 112
    TOTAL HITS: 0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.4.2 < proj@rfxn.com >
    fully scan from /home
    Code:
    /usr/local/maldetect/maldet -a /home/
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(11218): {scan} signatures loaded: 11788 (9895 MD5 / 1893 HEX)
    maldet(11218): {scan} building file list for /home/, this might take awhile...
    maldet(11218): {scan} file list completed, found 51072 files...
    maldet(11218): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(11218): {scan} scan of /home/ (51072 files) in progress...
    
    maldet(11218): {scan} scan completed on /home/: files 51072, malware hits 0, cleaned hits 0
    maldet(11218): {scan} scan report saved, to view run: maldet --report 092614-0301.11218
     
    Last edited: Sep 26, 2014
  14. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    False positive if you update OpenSSL for latest POODLE SSLv3 TLS_FALLBACK_SCSV support and have Maldet scanning enabled. It may incorrectly say you're vulnerable to Heartbleed exploit.

    Got this Pushover mobile client notification if you have configured yum-cron for daily yum updates and also have Maldet set for pushover notifications.

    Running ssllabs test confirms not vulnerable to Heartbleed Qualys SSL Labs - Projects / SSL Server Test / community.centminmod.com

    pushover_openssl_update_poodle_00.png
     
    Last edited: Oct 18, 2014
  15. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    10:33 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Great to have this in Centminmod Menu :)
     
    Last edited: Oct 17, 2014
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    10:33 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Code:
    WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 64.22.33.90)
    WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net
    connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
    Can't connect to port 80 of host db.us.clamav.net (IP: 65.19.179.67)
    Trying host db.us.clamav.net (128.199.133.36)...
    WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 128.199.133.36)
    WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net
    WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 69.12.162.28)
    WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net
    WARNING: Incremental update failed, trying to download daily.cvd
    
    Download daily.cvd seems to work but the daily-19121.cdiff failed and i just reporting this :)

    Thanks
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just try updating again

    to update
    Code:
    maldet -u
    Code:
    maldet -h
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    signature set: 2014101812009
    usage /usr/local/sbin/maldet [ OPTION ]
        -b, --background
          Execute operations in the background, ideal for large scans
          e.g: maldet -b -r /home/?/public_html 7
    
        -u, --update
           Update malware detection signatures from rfxn.com
    
        -d, --update-ver
           Update the installed version from rfxn.com
    
        -m, --monitor USERS|PATHS|FILE
           Run maldet with inotify kernel level file create/modify monitoring
           If USERS is specified, monitor user homedirs for UID's > 500
           If FILE is specified, paths will be extracted from file, line spaced
           If PATHS are specified, must be comma spaced list, NO WILDCARDS!
           e.g: maldet --monitor users
           e.g: maldet --monitor /root/monitor_paths
           e.g: maldet --monitor /home/mike,/home/ashton
    
        -k, --kill
           Terminate inotify monitoring service
    
        -r, --scan-recent PATH DAYS
           Scan files created/modified in the last X days (default: 7d, wildcard: ?)
           e.g: maldet -r /home/?/public_html 2
    
        -a, --scan-all PATH
           Scan all files in path (default: /home, wildcard: ?)
           e.g: maldet -a /home/?/public_html
    
        -c, --checkout FILE
           Upload suspected malware to rfxn.com for review & hashing into signatures
    
        -l, --log
           View maldet log file events
    
        -e, --report SCANID email
           View scan report of most recent scan or of a specific SCANID and optionally
           e-mail the report to a supplied e-mail address
           e.g: maldet --report
           e.g: maldet --report list
           e.g: maldet --report 050910-1534.21135
           e.g: maldet --report SCANID user@domain.com
    
        -s, --restore FILE|SCANID
           Restore file from quarantine queue to orginal path or restore all items from
           a specific SCANID
           e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
           e.g: maldet --restore 050910-1534.21135
    
        -q, --quarantine SCANID
           Quarantine all malware from report SCANID
           e.g: maldet --quarantine 050910-1534.21135
    
        -n, --clean SCANID
           Try to clean & restore malware hits from report SCANID
           e.g: maldet --clean 050910-1534.21135
    
        -U, --user USER
           Set execution under specified user, ideal for restoring from user quarantine or
           to view user reports.
           e.g: maldet --user nobody --report
           e.g: maldet --user nobody --restore 050910-1534.21135
    
        -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
           Set or redefine the value of conf.maldet config options
           e.g: maldet --config-option email_addr=you@domain.com,quar_hits=1
    
        -p, --purge
           Clear logs, quarantine queue, session and temporary data.
     
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    10:33 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    It is already updated using the daily.cvd but i post it just for the warnings if any fix needed :)

    Thanks
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    5:33 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no fix needed, maldet will try updating the next time if it fails
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    10:33 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok i was edit it and add my email and scan my public folder and all are fine no malware but i didn't get any mail about this scan :(

    Code:
    ALERTEMAIL='mymail@gmail.com'
    Or i must adjust something else or run the scanning command with an extra parameter?

    I was use:

    Code:
    /usr/local/maldetect/maldet -a /home/nginx/domains/mydomain.com/public/