Learn about Centmin Mod LEMP Stack today
Become a Member

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    just try later
     
  2. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    It may be related to this:

    Code:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.98.4 Recommended version: 0.98.6
    Add the updated version to maldet.sh script?

    Also is there any way to just let me know about the results without editing/deleting or move original files to quarantine?
     
    Last edited: Apr 5, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    problem is epel repo only has 0.98.4 and other repos 0.98.6 breaks clamav usage as it doesn't have some files/tools that 0.98.4 has. I have no problems with 0.98.4 it's just the clam update mirror you are getting is down or slow for your geographical location

    you can turn off quarantine and clean but that defeats purpose of using maldet

    Code:
    ##
    # [ QUARANTINE OPTIONS ]
    ##
    # The default quarantine action for malware hits
    # [0 = alert only, 1 = move to quarantine & alert]
    quar_hits=1
    
    # Try to clean string based malware injections
    # [NOTE: quar_hits=1 required]
    # [0 = disabled, 1 = clean]
    quar_clean=1
     
  4. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I don't have any problem with quarantine files but i don't want to automatically delete or edit files......

    Just scan and move infected files to quarantine and leave original files there as i want first to check if there is real infection or false alarm...
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    then disable cleaning
    Code:
    quar_clean=0
     
    • Like Like x 1
  6. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok great :)

    Path of the file that i should edit?
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    in 1st post
     
    • Like Like x 1
  8. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok one last question :)

    For the restore of a file i can use this as maldet -h report:

    Code:
    maldet --restore /usr/local/maldetect/quarantine/config.php.23754
    But there i can see only only an extension with .info .....?

    Code:
    cache.php.29732.info
    And inside it has the permissions of the file and the path....
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    see first post links all info you need is there :)

    Links
    hint see

    Code:
    ls -lAhrt /usr/local/maldetect/quarantine/
    as is the help file
    Code:
     maldet -h
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <proj@r-fx.org>
                (C) 2013, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    signature set: 201504037673
    usage /usr/local/sbin/maldet [ OPTION ]
        -b, --background
          Execute operations in the background, ideal for large scans
          e.g: maldet -b -r /home/?/public_html 7
    
        -u, --update
           Update malware detection signatures from rfxn.com
    
        -d, --update-ver
           Update the installed version from rfxn.com
    
        -m, --monitor USERS|PATHS|FILE
           Run maldet with inotify kernel level file create/modify monitoring
           If USERS is specified, monitor user homedirs for UID's > 500
           If FILE is specified, paths will be extracted from file, line spaced
           If PATHS are specified, must be comma spaced list, NO WILDCARDS!
           e.g: maldet --monitor users
           e.g: maldet --monitor /root/monitor_paths
           e.g: maldet --monitor /home/mike,/home/ashton
    
        -k, --kill
           Terminate inotify monitoring service
    
        -r, --scan-recent PATH DAYS
           Scan files created/modified in the last X days (default: 7d, wildcard: ?)
           e.g: maldet -r /home/?/public_html 2
    
        -a, --scan-all PATH
           Scan all files in path (default: /home, wildcard: ?)
           e.g: maldet -a /home/?/public_html
    
        -c, --checkout FILE
           Upload suspected malware to rfxn.com for review & hashing into signatures
    
        -l, --log
           View maldet log file events
    
        -e, --report SCANID email
           View scan report of most recent scan or of a specific SCANID and optionally
           e-mail the report to a supplied e-mail address
           e.g: maldet --report
           e.g: maldet --report list
           e.g: maldet --report 050910-1534.21135
           e.g: maldet --report SCANID user@domain.com
    
        -s, --restore FILE|SCANID
           Restore file from quarantine queue to orginal path or restore all items from
           a specific SCANID
           e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
           e.g: maldet --restore 050910-1534.21135
    
        -q, --quarantine SCANID
           Quarantine all malware from report SCANID
           e.g: maldet --quarantine 050910-1534.21135
    
        -n, --clean SCANID
           Try to clean & restore malware hits from report SCANID
           e.g: maldet --clean 050910-1534.21135
    
        -U, --user USER
           Set execution under specified user, ideal for restoring from user quarantine or
           to view user reports.
           e.g: maldet --user nobody --report
           e.g: maldet --user nobody --restore 050910-1534.21135
    
        -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
           Set or redefine the value of conf.maldet config options
           e.g: maldet --config-option email_addr=you@domain.com,quar_hits=1
    
        -p, --purge
           Clear logs, quarantine queue, session and temporary data.
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    also for excluding files see readme section 8
    Code:
    .: 8 [ IGNORE OPTIONS ]
    
    There are four ignore files available and they break down as follows:
    
    /usr/local/maldetect/ignore_paths
    
    A line spaced file for paths that are to be execluded from search results
    Sample ignore entry:
    
    /home/user/public_html/cgi-bin
    
    /usr/local/maldetect/ignore_file_ext
    
    A line spaced file for file extensions to be excluded from search results
    Sample ignore entry:
    .js
    .css
    
    /usr/local/maldetect/ignore_sigs
    
    A line spaced file for signatures that should be removed from file scanning
    Sample ignore entry:
    
    base64.inject.unclassed
    
    /usr/local/maldetect/ignore_inotify
    
    A line spaced file for regexp paths that are excluded from inotify monitoring
    Sample ignore entry:
    
    ^/home/user$
    ^/var/tmp/#sql_.*\.MYD$
     
  11. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    All of the links have info about config.php.23754 and not with .info extension like cache.php.29732.info :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    same thing if you read the docs
     
    • Like Like x 1
  13. pamamolf

    pamamolf Well-Known Member

    2,469
    223
    63
    May 31, 2014
    Ratings:
    +382
    Local Time:
    11:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok thanks George !!!
     
  14. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5

    Malware & Virus Scan FTP Uploaded Files



    One thing that Pure-FTPD users can do is configure automatic malware and virus scans on uploaded files done through Pure-FTPD. Be aware this may potentially increase your cpu and memory usage requirements - especially for large file uploads. To implement automatic malware and virus scanning on uploaded files via Pure-FTPD you need
    1. To install Linux Malware Detect (maldet) and ClamAV scanner via Centmin Mod maldet.sh addon which is available in Centmin Mod .08+ beta03 and higher addons/maldet.sh directory path. Details at Maldet - Linux Malware Detect Addon (discussion) | Centmin Mod Community
    2. Then on Centmin Mod .08+ beta03 and higher you should already have Pure-FTPD support.
    Once maldet.sh addon is installed and with running Pure-FTPD service, you enable pure-ftpd CallUploadScript support and setup the the called shell script clamscan.sh which is invoked each time a file is uploaded via Pure-FTPD virtual FTP user.

    Create a file named setup-callupload.sh and place in file the contents. This script properly sets up what is needed to enable CallUploadScript in pure-ftpd.conf, setup the clamscan.sh shell script which runs each time files are uploaded and runs the pure-uploadscript in background. Any infections are reported in /var/log/clamscan-pureftpd.log and normal uploads are logged in /var/log/pureftpd.log.
    Code:
    #!/bin/bash
    
    sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf
    
    cat >/etc/pure-ftpd/clamscan.sh<< EOF
    #!/bin/bash
    /usr/bin/clamdscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
    EOF
    
    chmod +x /etc/pure-ftpd/clamscan.sh
    
    pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh
    
    echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local
    
    service pure-ftpd restart
    
    then chmod +x and run script
    Code:
    chmod +x setup-callupload.sh
    ./setup-callupload.sh
     
    Last edited: Dec 21, 2015
    • Like Like x 2
  15. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    Added a note to Addons page at Centmin Mod Addons - CentminMod.com LEMP Nginx web stack for CentOS regarding higher resource usage with maldet + ClamAV
     
  16. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    5:38 AM
    1.7.9
    can I run maldet without clamav to save precious ram, with pure-ftpd support?
     
  17. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    you could be it will magnitudes slower from the earlier posts in this thread without clamav, maldet was 533x times slower !

    probably better just to add more memory :)
     
  18. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +149
    Local Time:
    10:38 AM
    1.9.9
    10.1.10
    Seems like when installing via the provided add on, email alerts are disabled by default.
    Code:
    [root@server maldetect]# cat conf.maldet | grep email_alert
    email_alert="0"
    
    I think this is not as intended, is it @eva2000?
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yup bug looks like the default config now wraps value in double quotes which my sed replace didn't catch at centminmod/maldet.sh at master · centminmod/centminmod · GitHub

    will fix.. thanks for yet another bug report !

    you can fix it manually using command
    Code:
    sed -i 's/email_alert=\"0\"/email_alert=\"1\"/g' /usr/local/maldetect/conf.maldet
    edit fixed in stable and beta branch code update addons/maldet.sh addon · centminmod/centminmod@1b68785 · GitHub :)
     
    Last edited: Dec 19, 2015
    • Like Like x 1
  20. eva2000

    eva2000 Administrator Staff Member

    28,348
    6,438
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,535
    Local Time:
    6:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    can you check if your config file has
    Code:
    quar_hits=1
    or
    Code:
    quar_hits="1"