You only get emails if scan found malware/viruses
But i think it will be good if i run it using a cron once per day to get the stats even no malware found.... Is it easy to adjust this?
With CryptoPHP backdoor malware on the loose it's now more important than ever to have Maldet + clamav scanner setup as it's one of the malware scanners which is able to detect and clean CryptoPHP malware infections ! Maldet detects CryptoPHP malware as {HEX}php.crytpophp.pnginclude or {HEX}php.bseo.cryptophp. Note if you are infected, cleaning isn't enough - you have to totally wipe your account/server and restore from a recent clean backup (yes backups are important to have and do regularly!) Actually official maldet web site lists a few signature updates using maldet.sh Centmin Mod Addon installer to install and configure maldet.sh and clamav scanner for quick scan of my Wordpress blog update maldet and clamav definitions first Code: freshclam ClamAV update process started at Sun Nov 30 09:20:06 2014 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.98.4 Recommended version: 0.98.5 DON'T PANIC! Read http://www.clamav.net/support/faq main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cvd is up to date (version: 19699, sigs: 1278291, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard) Code: maldet -u Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(14167): {sigup} performing signature update check... maldet(14167): {sigup} local signature set is version 2014112423513 maldet(14167): {sigup} latest signature set already installed run full scan on Centmin Mod Nginx public web root directories returned 0 malware hits out of 4533 files scanned Code: /usr/local/maldetect/maldet -a /home/nginx/domains/?/public Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(14952): {scan} signatures loaded: 11866 (9965 MD5 / 1901 HEX) maldet(14952): {scan} building file list for /home/nginx/domains/*/public, this might take awhile... maldet(14952): {scan} file list completed, found 4533 files... maldet(14952): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(14952): {scan} scan of /home/nginx/domains/*/public (4533 files) in progress... maldet(14952): {scan} scan completed on /home/nginx/domains/*/public: files 4533, malware hits 0, cleaned hits 0 maldet(14952): {scan} scan report saved, to view run: maldet --report 113014-0822.14952
Updated .08 beta's addons/maldet.sh at centminmod/maldet.sh at 123.08centos7beta01 · centminmod/centminmod · GitHub You can see the full revision changes at History for addons/maldet.sh - centminmod/centminmod · GitHub if you already installed maldet via addons/maldet.sh outlined here, you can just update the daily cron with the changes i made by typing the following commands in SSH to scan /boot, /etc and /usr directories too Code: echo "" >> /etc/cron.daily/maldet echo "# extend maldet scans to other areas" >> /etc/cron.daily/maldet echo "/usr/local/maldetect/maldet -b -r /boot 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet echo "/usr/local/maldetect/maldet -b -r /etc 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet echo "/usr/local/maldetect/maldet -b -r /usr 2 >> /dev/null 2>&1" >> /etc/cron.daily/maldet example manual scan of /usr as well Code: time maldet -r /usr Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(19802): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX) maldet(19802): {scan} building file list for /usr of new/modified files from last 7 days, this might take awhile... maldet(19802): {scan} file list completed, found 1590 files... maldet(19802): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(19802): {scan} scan of /usr (1590 files) in progress... maldet(19802): {scan} scan completed on /usr: files 1590, malware hits 0, cleaned hits 0 maldet(19802): {scan} scan report saved, to view run: maldet --report 030915-1640.19802 real 0m12.596s user 0m10.920s sys 0m1.423s
Is maldet able to detect edited php files that have backdoor code to allow remote execution of commands?
if there's a signature/hash for it, yes profiling current maldet sig database Code: maldetprofile.sh download latest signature database http://www.rfxn.com/api/lmd?id=all filter maldet sig database for PHP related sigs Total Number of Maldet signatures: 14525 PHP related Maldet signatures ranked: 3055 php.ircbot 1974 php.cmdshell 458 php.exe 373 php.nested 240 php.id 235 php.mailer 174 php.injector 80 php.clamav 55 php.generic 49 php.cracker 34 php.uploader 34 php.dbscan 33 php.pktflood 30 php.cpanel 26 php.shell 25 php.include 19 php.proxyinject 10 php.phishing 9 php.whmcs 9 php.spy 9 php.proxy 9 php.defash 9 php.dbman 6 php.malware 6 php.base64 5 php.sessmasq 4 php.xmlrpc 4 php.filebrowser 4 php.encoded 3 php.rshell 2 php.xss-scan 2 php.redirect 2 php.joomla 2 php.exec 2 php.cpcrack 2 php.configspy 2 php.bseo 2 php.bot 1 php.upload 1 php.crytpophp
I just install it on Centos 6.6 64bit and i got this : Code: http://premium-yum.boundary.com/CentOS/6/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found" Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: graphdat. Please verify its path and try again ./maldet.sh: line 149: /etc/init.d/clamd: No such file or directory error reading information on service clamd: No such file or directory ./maldet.sh: line 151: freshclam: command not found I use this: Code: cd /usr/local/src/centminmod-123.08centos7beta02/addons wget https://gist.github.com/centminmod/f6e3d3c502106cdb6b89/download#file-maldet-sh chmod +x maldet.sh Then i edit it and i add my email and i run: ./maldet.sh
the mirror you were assigned is broken or down http://premium-yum.boundary.com/CentOS/6/repodata/repomd.xml. You need to exclude the broken mirror from yum see PackageManagement/Yum/FastestMirror - CentOS Wiki
Ok i add it as (i remove also the # in front): Code: exclude=.gov, facebook, myspace, junk-mirror.com, premium-yum.boundary.com But i got again the same error Code: * updates: centos.quelquesmots.fr http://premium-yum.boundary.com/CentOS/6/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found" Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: graphdat. Please verify its path and try again ./maldet.sh: line 149: /etc/init.d/clamd: No such file or directory error reading information on service clamd: No such file or directory ./maldet.sh: line 151: freshclam: command not found I also run yum clean all before...and i restart also the server but nothing Maybe the problem is: Code: Loading mirror speeds from cached hostfile ? Also in Code: /var/cache/yum/x86_64/6/timedhosts.txt this mirror is not listed and removing that file and try again doesn't help also
I did it and is not working Now i am getting the same problem yum update also .... Damn It seems to ignore my edit to exclude it....
what does the contents of /etc/yum.repos.d/CentOS-Base.repo and /etc/yum.repos.d/epel.repo look like and output of this command Code: ls -lAhrt /etc/yum.repos.d | grep -v OLD also try removing mirrorlist file too /var/cache/yum/x86_64/6/base/mirrorlist.txt
Code: ls -lAhrt /etc/yum.repos.d | grep -v OLD total 112K -rw-r--r-- 1 root root 1.1K Nov 5 2012 epel-testing.repo -rw-r--r-- 1 root root 728 Mar 20 2013 mirrors-rpmforge-testing -rw-r--r-- 1 root root 717 Mar 20 2013 mirrors-rpmforge-extras -rw-r--r-- 1 root root 739 Mar 20 2013 mirrors-rpmforge -rw-r--r-- 1 root root 2.0K Jul 4 2014 CentOS-Base.repo -rw-r--r-- 1 root root 340 Jul 4 2014 Percona.repo -rw-r--r-- 1 root root 223 Jul 4 2014 varnish.repo -rw-r--r-- 1 root root 1.2K Jul 4 2014 axivo.repo -rw-r--r-- 1 root root 356 Jul 4 2014 mariadb.repo -rw-r--r-- 1 root root 140 Oct 6 04:38 graphdat.repo -rw-r--r-- 1 root root 5.3K Oct 23 14:41 CentOS-Vault.repo -rw-r--r-- 1 root root 630 Oct 23 14:41 CentOS-Media.repo -rw-r--r-- 1 root root 289 Oct 23 14:41 CentOS-fasttrack.repo -rw-r--r-- 1 root root 647 Oct 23 14:41 CentOS-Debuginfo.repo -rw-r--r-- 1 root root 2.0K Oct 23 14:41 CentOS-Base.repo.rpmnew -rw-r--r-- 1 root root 2.6K Dec 2 22:33 percona-release.repo -rw-r--r-- 1 root root 2.3K Dec 2 22:36 remi.repo -rw-r--r-- 1 root root 1.2K Mar 25 00:39 rpmforge.repo -rw-r--r-- 1 root root 1007 Apr 4 17:46 epel.repo I delete also this: /var/cache/yum/x86_64/6/base/mirrorlist.txt But nothing
you added an additional repo that isn't installed by Centmin Mod = graphdat.repo that is your problem repo
Don't have any idea how All working great now Sorry for that George.... i spend your time for my fault
It seems is not my day today Code: WARNING: Incremental update failed, trying to download daily.cvd connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out Can't connect to port 80 of host db.gr.clamav.net (IP: 194.62.23.99) Unless if that means that it can't be done by incremental and it can by full download