Centmin Mod already has an official Addon for AVG Anti-Virus for Linux to manually scan for viruses and malware on Linux servers at Centmin Mod Addons for Menu based Nginx installer for CentOS servers and it's very fast for scanning but doesn't detect all malware out there. Linux Malware Detect (maldet) on the other hand is much slower up to 50x times slower than AVG for scanning but much faster when paired with ClamAV now (see below) can pickup more malware variants out there Linux Malware Detect | R-fx Networks and unlike AVG has automatic cronjobs set for daily scanning and daily definition updates while AVG is manual scanning and definition updates only. Updated: March 15th, 2015: Added a How to install Centmin Mod maldet.sh addon video for .08 beta releases Links Official Linux Malware Detect web site Linux Malware Detect | R-fx Networks. Readme at http://www.rfxn.com/appdocs/README.maldetect has alot of juicy info to chew and digest 15 maldet commands and switch examples I'm going to make an official Centmin Mod Addon for Linux Malware Detect (maldet), but for now here's how to manually install Linux Malware Detect on Centmin Mod servers. Update: for Centmin Mod maldet.sh addon auto installer, check 5th post. Code (Text): cd /svr-setup wget -cnv http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xfz maldetect-current.tar.gz cd maldetect-* ./install.sh After install make sure to edit maldet config file at /usr/local/maldetect/conf.maldet and add your email address so you get email notifications for malware detected during maldet scans. Set email_alert=1 to enable email alerts and set email_addr with comma separated list of email addresses to send alerts to. If you want you can also setup push notifications to your mobile device by signing up with Pushover: Simple Notifications for Android, iOS, and Desktop and setting up an mobile device name where you can send email to: You may also want to enable automatic quarantine of detected malware setting quar_hits=1 Code (Bash): # [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=1 # The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="you@domain.com,youruserkey+devicename+p1@api.pushover.net" # Ignore e-mail alerts for reports in which all hits have been cleaned. # This is ideal on very busy servers where cleaned hits can drown out # other more actionable reports. email_ignore_clean=0 ## # [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=1 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1 # The default suspend action for users wih hits # Cpanel suspend or set shell /bin/false on non-Cpanel # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = suspend account] quar_susp=0 # minimum userid that can be suspended quar_susp_minuid=500 The install.sh output would look something like this and also show the paths to the maildet config file at /usr/local/maldetect/conf.maldet and cron.daily at /etc/cron.daily/maldet Code (Text): ./install.sh Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet /usr/local/maldetect/maldet: line 255: [: : integer expression expected maldet(8327): {sigup} performing signature update check... maldet(8327): {sigup} local signature set is version 201205035915 maldet(8327): {sigup} new signature set (2014061517666) available maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz maldet(8327): {sigup} signature set update completed maldet(8327): {sigup} 11760 signatures (9871 MD5 / 1889 HEX) The cron.daily/maldet file is a shell script listing which paths for maldet to scan daily and supports commonly used control panel's templated paths and looks like this Code (Bash): #!/bin/bash export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH # sleep for random value to give upstream a bit of headroom sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1 # clear quarantine/session/tmp data every 14 days /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1 # check for new release version /usr/local/maldetect/maldet -d >> /dev/null 2>&1 # check for new definition set /usr/local/maldetect/maldet -u >> /dev/null 2>&1 # if were running inotify monitoring, send daily hit summary if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1 else # scan the last 2 days of file changes if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then # ensim /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1 elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then # psa /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1 elif [ -d "/usr/local/directadmin" ]; then # DirectAdmin /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1 else # cpanel, interworx and other standard home/user/public_html setups /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1 fi # scan default apache docroot paths if [ -d "/var/www/html" ]; then /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1 fi if [ -d "/usr/local/apache/htdocs" ]; then /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1 fi fi We need to tweak the the cron.daily/maldet to add Centmin Mod Nginx's VHOST default template setup paths at /home/nginx/domains/domainname.com/public_html by typing the below to append to existing configuration Code (Bash): sed -i '/\/home?\/?\/public_html/ a\ \/usr\/local\/maldetect\/maldet -b -r \/home\/nginx\/domains\/?\/public 2 >> \/dev\/null 2>&1' /etc/cron.daily/maldet sed -i '/\/home?\/?\/public_html/ a\ \/usr\/local\/maldetect\/maldet -b -r \/usr\/local\/nginx\/html 2 >> \/dev\/null 2>&1' /etc/cron.daily/maldet Once command is run, you will see an additional 2 lines appended to cron.daily/maldet to scan Centmin Mod Nginx's vhost paths Code (Bash): /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /usr/local/nginx/html 2 >> /dev/null 2>&1 full appended cron.daily/maldet file below Code (Bash): #!/bin/bash export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH # sleep for random value to give upstream a bit of headroom sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1 # clear quarantine/session/tmp data every 14 days /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1 # check for new release version /usr/local/maldetect/maldet -d >> /dev/null 2>&1 # check for new definition set /usr/local/maldetect/maldet -u >> /dev/null 2>&1 # if were running inotify monitoring, send daily hit summary if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1 else # scan the last 2 days of file changes if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then # ensim /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1 elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then # psa /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1 elif [ -d "/usr/local/directadmin" ]; then # DirectAdmin /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1 else # cpanel, interworx and other standard home/user/public_html setups /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /usr/local/nginx/html 2 >> /dev/null 2>&1 fi # scan default apache docroot paths if [ -d "/var/www/html" ]; then /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1 fi if [ -d "/usr/local/apache/htdocs" ]; then /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1 fi fi Sample manual maldet background scan Code (Text): /usr/local/maldetect/maldet -b -r /home/nginx/domains/?/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(8847): {scan} launching scan of /home/nginx/domains/?/public changes in last 7d to background, see /usr/local/maldetect/event_log for progress checking the maldetect event_log Code (Text): cat /usr/local/maldetect/event_log Jul 14 07:07:47 centos7 maldet(8327): {sigup} performing signature update check... Jul 14 07:07:47 centos7 maldet(8327): {sigup} local signature set is version 201205035915 Jul 14 07:07:47 centos7 maldet(8327): {sigup} new signature set (2014061517666) available Jul 14 07:07:51 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat Jul 14 07:07:54 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat Jul 14 07:07:56 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb Jul 14 07:08:00 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb Jul 14 07:08:00 centos7 maldet(8327): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz Jul 14 07:08:00 centos7 maldet(8327): {sigup} signature set update completed Jul 14 07:08:00 centos7 maldet(8327): {sigup} 11760 signatures (9871 MD5 / 1889 HEX) Jul 14 07:27:09 centos7 maldet(8567): {scan} launching scan of /home?/?/public_html changes in last 7d to background, see /usr/local/maldetect/event_log for progress Jul 14 07:27:09 centos7 maldet(8567): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX) Jul 14 07:27:09 centos7 maldet(8567): {scan} building file list for /home*/*/public_html of new/modified files from last 7 days, this might take awhile... Jul 14 07:27:09 centos7 maldet(8567): {scan} file list completed, found 1 files... Jul 14 07:27:10 centos7 maldet(8567): {scan} scan completed on /home*/*/public_html: files 1, malware hits 0, cleaned hits 0 Jul 14 07:27:10 centos7 maldet(8567): {scan} scan report saved, to view run: maldet --report 071414-0727.8567 Jul 14 07:47:17 centos7 maldet(8847): {scan} launching scan of /home/nginx/domains/?/public changes in last 7d to background, see /usr/local/maldetect/event_log for progress Jul 14 07:47:17 centos7 maldet(8847): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX) Jul 14 07:47:17 centos7 maldet(8847): {scan} building file list for /home/nginx/domains/*/public of new/modified files from last 7 days, this might take awhile... Jul 14 07:47:17 centos7 maldet(8847): {scan} file list completed, found 10 files... Jul 14 07:47:19 centos7 maldet(8847): {scan} scan completed on /home/nginx/domains/*/public: files 10, malware hits 0, cleaned hits 0 Jul 14 07:47:19 centos7 maldet(8847): {scan} scan report saved, to view run: maldet --report 071414-0747.8847 checking the report itself Code (Text): maldet --report 071414-0747.8847 malware detect scan report for centos7.localdomain: SCAN ID: 071414-0747.8847 TIME: Jul 14 07:47:19 +0000 PATH: /home/nginx/domains/*/public RANGE: 7 days TOTAL FILES: 10 TOTAL HITS: 0 TOTAL CLEANED: 0 =============================================== Linux Malware Detect v1.4.2 < proj@rfxn.com > As stated above, AVG Antivirus for Linux Centmin Mod Addons for Menu based Nginx installer for CentOS servers has much faster scan speed but requires manual update and scan runs and not as wider malware definition/detection compared to Linux Malware Detect (maldet). So sometimes installing both compliments each other Linux Malware Detect (maldet) + ClamAV Scanning Engine Update: Speed up Maldet scanning by installing ClamAV Antivirus scanner to speed up scanning. In /usr/local/maldetect/conf.maldet config file there is a setting that auto detects if ClamAV is installed Clam AntiVirus and uses ClamAV scan engine for up to 4x times faster scanning. Code (Text): # Attempt to detect the presence of ClamAV clamscan binary # and use as default scanner engine; up to four times faster # scan performance and superior hex analysis. This option # only uses ClamAV as the scanner engine, LMD signatures # are still the basis for detecting threats. # [ 0 = disabled, 1 = enabled; enabled by default ] clamav_scan=1 To install ClamAV Anti Virus do the following steps to install via YUM, start clamd service, ensure it restarts on reboot and run freshclam command to update the definitions for ClamAV. Code (Text): yum -y install clamav clamd /etc/init.d/clamd start chkconfig clamd on freshclam For manual ClamAV scanning, invoke clamscan command. It's help options: Code (Text): clamscan -h Clam AntiVirus Scanner 0.98.4 By The ClamAV Team: http://www.clamav.net/team (C) 2007-2009 Sourcefire, Inc. --help -h Print this help screen --version -V Print version number --verbose -v Be verbose --archive-verbose -a Show filenames inside scanned archives --debug Enable libclamav's debug messages --quiet Only output error messages --stdout Write to stdout instead of stderr --no-summary Disable summary at end of scanning --infected -i Only print infected files --suppress-ok-results -o Skip printing OK files --bell Sound bell on virus detection --tempdir=DIRECTORY Create temporary files in DIRECTORY --leave-temps[=yes/no(*)] Do not remove temporary files --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR --official-db-only[=yes/no(*)] Only load official signatures --log=FILE -l FILE Save scan report to FILE --recursive[=yes/no(*)] -r Scan subdirectories recursively --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match --cross-fs[=yes(*)/no] Scan files and directories on other filesystems --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always) --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always) --file-list=FILE -f FILE Scan files from FILE --remove[=yes/no(*)] Remove infected files. Be careful! --move=DIRECTORY Move infected files into DIRECTORY --copy=DIRECTORY Copy infected files into DIRECTORY --exclude=REGEX Don't scan file names matching REGEX --exclude-dir=REGEX Don't scan directories matching REGEX --include=REGEX Only scan file names matching REGEX --include-dir=REGEX Only scan directories matching REGEX --bytecode[=yes(*)/no] Load bytecode from the database --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode --bytecode-timeout=N Set bytecode timeout (in milliseconds) --bytecode-statistics[=yes/no(*)] Collect and print bytecode statistics --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications --exclude-pua=CAT Skip PUA sigs of category CAT --include-pua=CAT Load PUA sigs of category CAT --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card) --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both) --structured-ssn-count=N Min SSN count to generate a detect --structured-cc-count=N Min CC count to generate a detect --scan-mail[=yes(*)/no] Scan mail files --phishing-sigs[=yes(*)/no] Signature-based phishing detection --phishing-scan-urls[=yes(*)/no] URL-based phishing detection --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found --phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module) --phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module) --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics. --algorithmic-detection[=yes(*)/no] Algorithmic detection --scan-pe[=yes(*)/no] Scan PE files --scan-elf[=yes(*)/no] Scan ELF files --scan-ole2[=yes(*)/no] Scan OLE2 containers --scan-pdf[=yes(*)/no] Scan PDF files --scan-swf[=yes(*)/no] Scan SWF files --scan-html[=yes(*)/no] Scan HTML files --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav) --detect-broken[=yes/no(*)] Try to detect broken executable files --block-encrypted[=yes/no(*)] Block encrypted archives --nocerts Disable authenticode certificate chain verification in PE files --dumpcerts Dump authenticode certificate chain in PE files --max-filesize=#n Files larger than this will be skipped and assumed clean --max-scansize=#n The maximum amount of data to scan for each container file (**) --max-files=#n The maximum number of files to scan for each container file (**) --max-recursion=#n Maximum archive recursion level for container file (**) --max-dir-recursion=#n Maximum directory recursion level --max-embeddedpe=#n Maximum size file to check for embedded PE --max-htmlnormalize=#n Maximum size of HTML file to normalize --max-htmlnotags=#n Maximum size of normalized HTML file to scan --max-scriptnormalize=#n Maximum size of script file to normalize --max-ziptypercg=#n Maximum size zip to type reanalyze --max-partitions=#n Maximum number of partitions in disk image to be scanned --max-iconspe=#n Maximum number of icons in PE file to be scanned --enable-stats Enable statistical reporting of malware --disable-pe-stats Disable submission of individual PE sections in stats submissions --stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server --stats-host-id=UUID Set the Host ID used when submitting statistical info. (*) Default scan settings (**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data. Two clamscan examples, one for -i infected only reports and one without (more verbose). Code (Text): clamscan -i -r /home/nginx/domains/demodomain.com/ ----------- SCAN SUMMARY ----------- Known viruses: 3501466 Engine version: 0.98.4 Scanned directories: 5 Scanned files: 9 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 17.927 sec (0 m 17 s) Code (Text): clamscan -r /home/nginx/domains/demodomain.com/ /home/nginx/domains/demodomain.com/public/index.html: OK /home/nginx/domains/demodomain.com/public/403.html: OK /home/nginx/domains/demodomain.com/public/404.html: OK /home/nginx/domains/demodomain.com/public/500.html: OK /home/nginx/domains/demodomain.com/public/502.html: OK /home/nginx/domains/demodomain.com/public/503.html: OK /home/nginx/domains/demodomain.com/public/504.html: OK /home/nginx/domains/demodomain.com/public/50x.html: OK /home/nginx/domains/demodomain.com/public/maintenance.html: OK /home/nginx/domains/demodomain.com/log/access.log: Empty file /home/nginx/domains/demodomain.com/log/error.log: Empty file ----------- SCAN SUMMARY ----------- Known viruses: 3501466 Engine version: 0.98.4 Scanned directories: 5 Scanned files: 9 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 8.801 sec (0 m 8 s) Or just let Linux Malware Detect (maldet) do it's job utilising the ClamAV Scanning Engine
Looks great. I'll have to give it a try. You mentioned that its much slower than avg, how hard is it on the CPU?
For cpu load, maldet is actually lighter than avg. AVG uses more cpu in parallel hence the speed i.e. for 180,000 file/directory scan AVG = ~750 seconds Maldet = ~24,000 seconds stats taken from real live example I posted on my 10 page blog article on cleaning up hacked vBulletin forums at http://vbtechsupport.com/2355/9/
Updated first post with details for Linux Malware Detect (maldet) + ClamAV Scanning Engine to speed up scanning times Wow, maldet + ClamAV is HEAPS faster ! This is a scan on a site with 200,342 to 200,474 files to compare. Yes first maldet only scan picked up some malware while maldet + clamav didn't as I already cleaned that up from the first scan. But scan times are dramatically different. maldet only = 632 minutes and 5.563s ! = 37,925.563 seconds maldet + clamav = 1min 11.127s = 71.127 seconds ~533x times faster ! maldet only Code (Text): time maldet -a /home/nginx/domains/domain.com/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(29923): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX) maldet(29923): {scan} building file list for /home/nginx/domains/domain.com/public, this might take awhile... maldet(29923): {scan} file list completed, found 200342 files... maldet(29923): {scan} 200342/200342 files scanned: 8 hits 4 cleaned maldet(29923): {scan} scan completed on /home/nginx/domains/domain.com/public: files 200342, malware hits 8, cleaned hits 4 maldet(29923): {scan} scan report saved, to view run: maldet --report 071614-1236.29923 maldet(29923): {alert} sent scan report to you@domain.com,yourapikey+devicename+p1@api.pushover.net real 632m5.563s user 301m31.873s sys 359m12.706s maldet + clamav notice the line about finding ClamAV clamscan binary Code (Text): maldet(11035): {scan} found ClamAV clamscan binary, using as scanner engine... Code (Text): time maldet -a /home/nginx/domains/domain.com/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(11035): {scan} signatures loaded: 11760 (9871 MD5 / 1889 HEX) maldet(11035): {scan} building file list for /home/nginx/domains/domain.com/public, this might take awhile... maldet(11035): {scan} file list completed, found 200474 files... maldet(11035): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(11035): {scan} scan of /home/nginx/domains/domain.com/public (200474 files) in progress... maldet(11035): {scan} scan completed on /home/nginx/domains/domain.com/public: files 200474, malware hits 0, cleaned hits 0 maldet(11035): {scan} scan report saved, to view run: maldet --report 071914-1614.11035 real 1m11.127s user 0m6.011s sys 0m5.319s with such a speed up, I might even make maldet + clamav a default installed menu based option for Centmin Mod instead of an addon
Okay first maldet.sh beta 0.0.1 release of addon install for maldet+clamav scanner for Centmin Mod users posted at centminmod/maldet.sh at 123.08centos7beta01 · centminmod/centminmod · GitHub Update: made some revisional changes at History for addons/maldet.sh - centminmod/centminmod · GitHub You'd need to fill in ALERTEMAIL='your@emailaddress.com' to get email alerts. The maldet.sh script should detect if ALERTEMAIL is empty and abort install until you fill in ALERTEMAIL variable. If you have a pushover.net account, you can also get mobile device push notifications for maldet detected malware hits/alerts by setting your pushover.net email i.e. youruserkey+devicename+p1@api.pushover.net and also configuring ALERT_POEMAIL='' variable in maldet.sh. Code (Text): # enter email address you want alerts sent to # i.e. your@domain.com ALERTEMAIL='' # enter your pushover.net email you want alerts sent to # i.e. youruserkey+devicename+p1@api.pushover.net ALERT_POEMAIL='' Script detects if ALERTEMAIL is empty Code (Text): ./maldet.sh CentOS / RHEL system detected ALERTEMAIL variable detected as empty edit ./maldet.sh and set an email address for ALERTEMAIL Then re-run the script ./maldet.sh To install maldet.sh Code (Text): cd /usr/local/src/centmin-v1.2.3mod/addons wget https://gist.githubusercontent.com/centminmod/f6e3d3c502106cdb6b89/raw/maldet.sh chmod +x maldet.sh then edit maldet.sh via nano or vim text editors i.e. Code (Text): nano -w maldet.sh And enter ALERTEMAIL='' with your email address and if pushover.net notifications, set ALERT_POEMAIL='' hit CTRL+X to save and exit nano then run maldet.sh Code (Text): ./maldet.sh DO this on a test VPS first and NOT a live production server as maldet.sh is beta right now. More conscious of malware as just cleaned up my sister's infected Windows 8 laptop - alot of malware/adware infections. Always good to keep yourself protected
Awesome, would be interesting to see how fast maldet + clamscan is for your hardware Code (Text): time maldet -a /home/nginx/domains/domain.com/public
Code (Text): [root@host ControllerPublic]# time maldet -a /home/nginx/domains/mattwservices.co.uk/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 /usr/local/sbin/maldet: line 255: [: : integer expression expected maldet(26626): {scan} signatures loaded: 11776 (9883 MD5 / 1893 HEX) maldet(26626): {scan} building file list for /home/nginx/domains/mattwservices.co.uk/public, this might take awhile... maldet(26626): {scan} file list completed, found 10904 files... maldet(26626): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(26626): {scan} scan of /home/nginx/domains/mattwservices.co.uk/public (10904 files) in progress... maldet(26626): {scan} scan completed on /home/nginx/domains/mattwservices.co.uk/public: files 10904, malware hits 0, cleaned hits 0 maldet(26626): {scan} scan report saved, to view run: maldet --report 072714-1932.26626 real 0m22.193s user 0m21.288s sys 0m0.512s
nice seems you got an error ? maybe in maldet conf ? Code (Text): /usr/local/sbin/maldet: line 255: [: : integer expression expected
That's the heartbleed check: Code (Bash): check_opensslheartbleed() { rpm=`which rpm 2> /dev/null` if [ "$rpm" ]; then check_openssl=`$rpm -q openssl | grep 1.0.1 | head -n1` goodrev="5.7" if [ "$check_openssl" ]; then rev=`echo $check_openssl| grep 1.0.1 | sed -e 's/el6_/ /' -e 's/.x86_64/ /' -e 's/.i686/ /' | awk '{print$2}'` if [ "$(echo $rev | tr -d '.')" -lt "$(echo $goodrev | tr -d '.')" ]; then alert_heartbleed=1 fi fi fi
Breaking it down: Code (Text): [root@host tmp]# rpm -q openssl | grep 1.0.1 | head -n1 openssl-1.0.1h-1.el6.x86_64 [root@host tmp]# echo openssl-1.0.1h-1.el6.x86_64 | grep 1.0.1 | sed -e 's/el6_/ /' -e 's/.x86_64/ /' -e 's/.i686/ /' | awk '{print$2}' [root@host tmp]#
Made a minor fix into the Gist hosted maldet.sh addon mentioned here as well as the one included in .08 beta addons/maldet.sh directory (actual commit). For to enable email alerts in the script - revisions shown at Revisions · maldet.sh last 7 days scan for just Centmin Mod web roots Code (Text): /usr/local/maldetect/maldet -r /home/nginx/domains/?/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(16277): {scan} signatures loaded: 11788 (9895 MD5 / 1893 HEX) maldet(16277): {scan} building file list for /home/nginx/domains/*/public of new/modified files from last 7 days, this might take awhile... maldet(16277): {scan} file list completed, found 112 files... maldet(16277): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(16277): {scan} scan of /home/nginx/domains/*/public (112 files) in progress... maldet(16277): {scan} scan completed on /home/nginx/domains/*/public: files 112, malware hits 0, cleaned hits 0 maldet(16277): {scan} scan report saved, to view run: maldet --report 092614-0045.16277 Code (Text): malware detect scan report for myhostname: SCAN ID: 092614-0045.16277 TIME: Sep 26 00:45:48 +0000 PATH: /home/nginx/domains/*/public RANGE: 7 days TOTAL FILES: 112 TOTAL HITS: 0 TOTAL CLEANED: 0 =============================================== Linux Malware Detect v1.4.2 < proj@rfxn.com > fully scan from /home Code (Text): /usr/local/maldetect/maldet -a /home/ Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(11218): {scan} signatures loaded: 11788 (9895 MD5 / 1893 HEX) maldet(11218): {scan} building file list for /home/, this might take awhile... maldet(11218): {scan} file list completed, found 51072 files... maldet(11218): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(11218): {scan} scan of /home/ (51072 files) in progress... maldet(11218): {scan} scan completed on /home/: files 51072, malware hits 0, cleaned hits 0 maldet(11218): {scan} scan report saved, to view run: maldet --report 092614-0301.11218
False positive if you update OpenSSL for latest POODLE SSLv3 TLS_FALLBACK_SCSV support and have Maldet scanning enabled. It may incorrectly say you're vulnerable to Heartbleed exploit. Got this Pushover mobile client notification if you have configured yum-cron for daily yum updates and also have Maldet set for pushover notifications. Running ssllabs test confirms not vulnerable to Heartbleed Qualys SSL Labs - Projects / SSL Server Test / community.centminmod.com
Code (Text): WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 64.22.33.90) WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out Can't connect to port 80 of host db.us.clamav.net (IP: 65.19.179.67) Trying host db.us.clamav.net (128.199.133.36)... WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 128.199.133.36) WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net WARNING: getfile: daily-19121.cdiff not found on remote server (IP: 69.12.162.28) WARNING: getpatch: Can't download daily-19121.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Download daily.cvd seems to work but the daily-19121.cdiff failed and i just reporting this Thanks
just try updating again to update Code (Text): maldet -u Code (Text): maldet -h Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 signature set: 2014101812009 usage /usr/local/sbin/maldet [ OPTION ] -b, --background Execute operations in the background, ideal for large scans e.g: maldet -b -r /home/?/public_html 7 -u, --update Update malware detection signatures from rfxn.com -d, --update-ver Update the installed version from rfxn.com -m, --monitor USERS|PATHS|FILE Run maldet with inotify kernel level file create/modify monitoring If USERS is specified, monitor user homedirs for UID's > 500 If FILE is specified, paths will be extracted from file, line spaced If PATHS are specified, must be comma spaced list, NO WILDCARDS! e.g: maldet --monitor users e.g: maldet --monitor /root/monitor_paths e.g: maldet --monitor /home/mike,/home/ashton -k, --kill Terminate inotify monitoring service -r, --scan-recent PATH DAYS Scan files created/modified in the last X days (default: 7d, wildcard: ?) e.g: maldet -r /home/?/public_html 2 -a, --scan-all PATH Scan all files in path (default: /home, wildcard: ?) e.g: maldet -a /home/?/public_html -c, --checkout FILE Upload suspected malware to rfxn.com for review & hashing into signatures -l, --log View maldet log file events -e, --report SCANID email View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address e.g: maldet --report e.g: maldet --report list e.g: maldet --report 050910-1534.21135 e.g: maldet --report SCANID user@domain.com -s, --restore FILE|SCANID Restore file from quarantine queue to orginal path or restore all items from a specific SCANID e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754 e.g: maldet --restore 050910-1534.21135 -q, --quarantine SCANID Quarantine all malware from report SCANID e.g: maldet --quarantine 050910-1534.21135 -n, --clean SCANID Try to clean & restore malware hits from report SCANID e.g: maldet --clean 050910-1534.21135 -U, --user USER Set execution under specified user, ideal for restoring from user quarantine or to view user reports. e.g: maldet --user nobody --report e.g: maldet --user nobody --restore 050910-1534.21135 -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE Set or redefine the value of conf.maldet config options e.g: maldet --config-option email_addr=you@domain.com,quar_hits=1 -p, --purge Clear logs, quarantine queue, session and temporary data.
It is already updated using the daily.cvd but i post it just for the warnings if any fix needed Thanks
Ok i was edit it and add my email and scan my public folder and all are fine no malware but i didn't get any mail about this scan Code (Text): ALERTEMAIL='mymail@gmail.com' Or i must adjust something else or run the scanning command with an extra parameter? I was use: Code (Text): /usr/local/maldetect/maldet -a /home/nginx/domains/mydomain.com/public/
