installing-using-linux-malware-detect-lmd-linux-cpanel
Cpanel Knowledgebase Articles Linux

Installing and using Linux Malware Detect(LMD) in Linux Operating Systems with CPanel

Bindhu Maniya April 17, 2015 No Comments

Installing and using Linux Malware Detect(LMD) in Linux Operating Systems with CPanel

Managing the Servers with the website in shared hosting is a hard task.

One night, you made all the configurations and editing the wordpress for all night, after you are happy with the customization you went to sleep at 6AM, You wakeup and has  lunch and came back to see your site. GOD DAM*T your site shows site is hacked by some ash**se

I know its frustrating to see such hard work is been harmed by malware and shell scripts executed through php.

To overcome this kind of issue, You have (LMD)Linux Malware Detect to scan and detect such infected files.

Now, we will go for the steps to install the Linux Malware Detect LMD. this can co-exist with cpanel without any issues.

First make a directory to store the installation files of LMD.

root@earn [~] mkdir /root/install/maldetect/

Change the directory to the created folder.

root@earn [~]# cd /root/install/maldetect/

We can now download the LMD by the below commands.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

root@earn [~/install/maldetect]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

--2015-04-17 05:57:08--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
HTTP request sent, awaiting response... 200 OK
Length: 1762295 (1.7M) [application/x-gzip]
Saving to: maldetect-current.tar.gz
100%[======================================>] 1,762,295   1.62M/s   in 1.0s    
2015-04-17 05:57:09 (1.62 MB/s) - maldetect-current.tar.gz saved [1762295/1762295]

Extract the files now.

root@earn [~/install/maldetect]# tar -xvf maldetect-current.tar.gz

Use the Below command to execute the Installtion.

root@earn [~/install/maldetect/maldetect-1.4.2]# ./install.sh 


root@earn [~/install/maldetect/maldetect-1.4.2]# ./install.sh 
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks 
            (C) 2013, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(17010): {sigup} performing signature update check...
maldet(17010): {sigup} local signature set is version 201205035915
maldet(17010): {sigup} new signature set (201504066258) available
maldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
maldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
maldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
maldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
maldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
maldet(17010): {sigup} signature set update completed
maldet(17010): {sigup} 10749 signatures (8838 MD5 / 1911 HEX)

Now, we need to edit the (LMD) Linux Malware Detect configuration file and edit few options to work completely.
this file is located at /usr/local/maldetect/conf.maldet

use nano editor and open the file.
# nano /usr/local/maldetect/conf.maldet

I am going to just write the required options, which you need to update.
1. email_alert
2. email_subj
3. email_addr
4. quar_hits
5. quar_clean


# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname) - $(date +%Y-%m-%d)"


# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="[email protected]"

# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# Attempt to detect the presence of ClamAV clamscan binary
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=1

Once this configuration is done, use CTRL + O to write the changes and exit using CTRL + X

Now, we are going to do a scan.
(I used an account which already has infected files, which customer moved today)

root@earn [~]# maldet --scan-all /home/username/


Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks 
            (C) 2013, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(23098): {scan} signatures loaded: 10749 (8838 MD5 / 1911 HEX)
maldet(23098): {scan} building file list for /home/username/, this might take awhile...
maldet(23098): {scan} file list completed, found 1868 files...
maldet(23098): {scan} 1868/1868 files scanned: 7 hits 0 cleaned
maldet(23098): {scan} scan completed on /home/username/: files 1868, malware hits 7, cleaned hits 0
maldet(23098): {scan} scan report saved, to view run: maldet --report 041715-0605.23098
maldet(23098): {alert} sent scan report to [email protected]

On the above scan, the report id is 041715-0605.23098 and the infected files are moved to quarantine
You can view the result by typing.

# maldet –report 041715-0605.23098

You can now delete the infected files either by delete the files on the quarantine or maldet –clean 041715-0605.23098

root@earn [~]# rm -rf /usr/local/maldetect/quarantine/*

or

root@earn [~]# maldet --clean 041715-0605.23098

The Final part, adding the automated jobs to cron.

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.