Learn about Centmin Mod LEMP Stack today
Register Now

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You only get emails if scan found malware/viruses

     
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    But i think it will be good if i run it using a cron once per day to get the stats even no malware found....

    Is it easy to adjust this?
     
    Last edited: Oct 21, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably but haven't looked into the code to find out though
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    With CryptoPHP backdoor malware on the loose it's now more important than ever to have Maldet + clamav scanner setup as it's one of the malware scanners which is able to detect and clean CryptoPHP malware infections ! Maldet detects CryptoPHP malware as {HEX}php.crytpophp.pnginclude or {HEX}php.bseo.cryptophp. Note if you are infected, cleaning isn't enough - you have to totally wipe your account/server and restore from a recent clean backup (yes backups are important to have and do regularly!)

    Actually official maldet web site lists a few signature updates
    using maldet.sh Centmin Mod Addon installer to install and configure maldet.sh and clamav scanner for quick scan of my Wordpress blog

    update maldet and clamav definitions first
    Code:
    freshclam
    ClamAV update process started at Sun Nov 30 09:20:06 2014
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.98.4 Recommended version: 0.98.5
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
    daily.cvd is up to date (version: 19699, sigs: 1278291, f-level: 63, builder: neo)
    bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard)
    Code:
    maldet -u
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(14167): {sigup} performing signature update check...
    maldet(14167): {sigup} local signature set is version 2014112423513
    maldet(14167): {sigup} latest signature set already installed
    run full scan on Centmin Mod Nginx public web root directories returned 0 malware hits out of 4533 files scanned
    Code:
    /usr/local/maldetect/maldet -a /home/nginx/domains/?/public
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(14952): {scan} signatures loaded: 11866 (9965 MD5 / 1901 HEX)
    maldet(14952): {scan} building file list for /home/nginx/domains/*/public, this might take awhile...
    maldet(14952): {scan} file list completed, found 4533 files...
    maldet(14952): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(14952): {scan} scan of /home/nginx/domains/*/public (4533 files) in progress...
    
    maldet(14952): {scan} scan completed on /home/nginx/domains/*/public: files 4533, malware hits 0, cleaned hits 0
    maldet(14952): {scan} scan report saved, to view run: maldet --report 113014-0822.14952
     
    Last edited: Nov 30, 2014
  5. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated .08 beta's addons/maldet.sh at centminmod/maldet.sh at 123.08centos7beta01 · centminmod/centminmod · GitHub

    You can see the full revision changes at History for addons/maldet.sh - centminmod/centminmod · GitHub

    if you already installed maldet via addons/maldet.sh outlined here, you can just update the daily cron with the changes i made by typing the following commands in SSH

    to scan /boot, /etc and /usr directories too
    Code:
    echo "" >> /etc/cron.daily/maldet
    echo "# extend maldet scans to other areas" >> /etc/cron.daily/maldet
    echo "/usr/local/maldetect/maldet -b -r /boot 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet
    echo "/usr/local/maldetect/maldet -b -r /etc 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet
    echo "/usr/local/maldetect/maldet -b -r /usr 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet
    example manual scan of /usr as well

    Code:
    time maldet -r /usr
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(19802): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX)
    maldet(19802): {scan} building file list for /usr of new/modified files from last 7 days, this might take awhile...
    maldet(19802): {scan} file list completed, found 1590 files...
    maldet(19802): {scan} found ClamAV clamscan binary, using as scanner engine...
    maldet(19802): {scan} scan of /usr (1590 files) in progress...
    
    maldet(19802): {scan} scan completed on /usr: files 1590, malware hits 0, cleaned hits 0
    maldet(19802): {scan} scan report saved, to view run: maldet --report 030915-1640.19802
    
    real    0m12.596s
    user    0m10.920s
    sys     0m1.423s
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is maldet able to detect edited php files that have backdoor code to allow remote execution of commands?
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if there's a signature/hash for it, yes

    profiling current maldet sig database

    Code:
    maldetprofile.sh                   
    
    download latest signature database
    http://www.rfxn.com/api/lmd?id=all
    
    filter maldet sig database for PHP related sigs
    
    Total Number of Maldet signatures:      14525
    
    PHP related Maldet signatures ranked:
       3055  php.ircbot
       1974  php.cmdshell
        458  php.exe
        373  php.nested
        240  php.id
        235  php.mailer
        174  php.injector
         80  php.clamav
         55  php.generic
         49  php.cracker
         34  php.uploader
         34  php.dbscan
         33  php.pktflood
         30  php.cpanel
         26  php.shell
         25  php.include
         19  php.proxyinject
         10  php.phishing
          9  php.whmcs
          9  php.spy
          9  php.proxy
          9  php.defash
          9  php.dbman
          6  php.malware
          6  php.base64
          5  php.sessmasq
          4  php.xmlrpc
          4  php.filebrowser
          4  php.encoded
          3  php.rshell
          2  php.xss-scan
          2  php.redirect
          2  php.joomla
          2  php.exec
          2  php.cpcrack
          2  php.configspy
          2  php.bseo
          2  php.bot
          1  php.upload
          1  php.crytpophp
     
    Last edited: Mar 14, 2015
  8. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I just install it on Centos 6.6 64bit and i got this :

    Code:
    http://premium-yum.boundary.com/CentOS/6/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: graphdat. Please verify its path and try again
    ./maldet.sh: line 149: /etc/init.d/clamd: No such file or directory
    error reading information on service clamd: No such file or directory
    ./maldet.sh: line 151: freshclam: command not found
    I use this:
    Code:
    cd /usr/local/src/centminmod-123.08centos7beta02/addons
    wget https://gist.github.com/centminmod/f6e3d3c502106cdb6b89/download#file-maldet-sh
    chmod +x maldet.sh
    
    Then i edit it and i add my email and i run:
    
    ./maldet.sh
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok i add it as (i remove also the # in front):

    Code:
    exclude=.gov, facebook, myspace, junk-mirror.com, premium-yum.boundary.com
    But i got again the same error :(

    Code:
     * updates: centos.quelquesmots.fr
    http://premium-yum.boundary.com/CentOS/6/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: graphdat. Please verify its path and try again
    ./maldet.sh: line 149: /etc/init.d/clamd: No such file or directory
    error reading information on service clamd: No such file or directory
    ./maldet.sh: line 151: freshclam: command not found
    I also run yum clean all before...and i restart also the server but nothing :(

    Maybe the problem is:

    Code:
    Loading mirror speeds from cached hostfile
    ?

    Also in

    Code:
    /var/cache/yum/x86_64/6/timedhosts.txt 
    this mirror is not listed and removing that file and try again doesn't help also :(
     
    Last edited: Apr 5, 2015
  12. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    remove the timed host file /var/cache/yum/x86_64/6/timedhosts.txt and try again
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I did it and is not working :(

    Now i am getting the same problem yum update also ....

    Damn :( It seems to ignore my edit to exclude it....
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    do yum clean all then remove timedhosts.txt removal
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    I did and got again the same error :(

    Yum clean all auto removes that file...
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what does the contents of /etc/yum.repos.d/CentOS-Base.repo and /etc/yum.repos.d/epel.repo look like and output of this command

    Code:
    ls -lAhrt /etc/yum.repos.d | grep -v OLD
    also try removing mirrorlist file too /var/cache/yum/x86_64/6/base/mirrorlist.txt
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Code:
    ls -lAhrt /etc/yum.repos.d | grep -v OLD
    total 112K
    -rw-r--r-- 1 root root 1.1K Nov  5  2012 epel-testing.repo
    -rw-r--r-- 1 root root  728 Mar 20  2013 mirrors-rpmforge-testing
    -rw-r--r-- 1 root root  717 Mar 20  2013 mirrors-rpmforge-extras
    -rw-r--r-- 1 root root  739 Mar 20  2013 mirrors-rpmforge
    -rw-r--r-- 1 root root 2.0K Jul  4  2014 CentOS-Base.repo
    -rw-r--r-- 1 root root  340 Jul  4  2014 Percona.repo
    -rw-r--r-- 1 root root  223 Jul  4  2014 varnish.repo
    -rw-r--r-- 1 root root 1.2K Jul  4  2014 axivo.repo
    -rw-r--r-- 1 root root  356 Jul  4  2014 mariadb.repo
    -rw-r--r-- 1 root root  140 Oct  6 04:38 graphdat.repo
    -rw-r--r-- 1 root root 5.3K Oct 23 14:41 CentOS-Vault.repo
    -rw-r--r-- 1 root root  630 Oct 23 14:41 CentOS-Media.repo
    -rw-r--r-- 1 root root  289 Oct 23 14:41 CentOS-fasttrack.repo
    -rw-r--r-- 1 root root  647 Oct 23 14:41 CentOS-Debuginfo.repo
    -rw-r--r-- 1 root root 2.0K Oct 23 14:41 CentOS-Base.repo.rpmnew
    -rw-r--r-- 1 root root 2.6K Dec  2 22:33 percona-release.repo
    -rw-r--r-- 1 root root 2.3K Dec  2 22:36 remi.repo
    -rw-r--r-- 1 root root 1.2K Mar 25 00:39 rpmforge.repo
    -rw-r--r-- 1 root root 1007 Apr  4 17:46 epel.repo
    I delete also this: /var/cache/yum/x86_64/6/base/mirrorlist.txt

    But nothing :(
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you added an additional repo that isn't installed by Centmin Mod = graphdat.repo that is your problem repo

     
  19. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Don't have any idea how :)

    All working great now :)

    Sorry for that George.... i spend your time for my fault :(
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:47 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    It seems is not my day today :)

    Code:
    WARNING: Incremental update failed, trying to download daily.cvd
    connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
    Can't connect to port 80 of host db.gr.clamav.net (IP: 194.62.23.99)
    Unless if that means that it can't be done by incremental and it can by full download :)