Debian malware detection with Maldetect

If you host multiple websites this tutorial will help you setup Debian malware detection tool to easy find websites that has been compromised instead of getting reports that your server is hosting them.

On a Debian system Linux Malware Detect will not run out of the box in monitor mode but scan mode works fine.

Prepare your Debian Server and install LMD

Linux Malware Detect comes with a 32-bit inotifywait binary and associated libinotifytools library. Debian Wheezy will not run 32-bit binaries out of the box.

We’ll first need to install the inotify-tools and libinotifytools0 packages which will put 64-bit versions of inotify on the system. Also sed to easy change configuration files.

apt-get install inotify-tools libinotifytools0 sed

Get the latest maldetect version:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*

Now modify the install.sh script NOT to use LMD inotify tools

sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh

Modify the internals.conf to use the Debian inotifywait

sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

Now you can run the install.sh script

./install.sh

You should have this output:

Linux Malware Detect v1.4.2
 (C) 2002-2013, R-fx Networks <proj@r-fx.org>
 (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(2988): {sigup} performing signature update check...
maldet(2988): {sigup} local signature set is version 201205035915
maldet(2988): {sigup} new signature set (2014101812009) available
maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
maldet(2988): {sigup} signature set update completed
maldet(2988): {sigup} 11791 signatures (9899 MD5 / 1892 HEX)

Modify the LMD for usage with ISPConfig

Modify the /etc/cron.daily/maldet to scan the websites hosted with ISPConfig

sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
 elif [ -d "/usr/local/ispconfig" ]; then\
 # ispconfig\
 /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' /etc/cron.daily/maldet

Change the Linux Malware Detect config parameters

This are the parameters that i change:

vi /usr/local/maldetect/conf.maldet
email_alert=1
email_addr="my@email.com"
quar_hits=1
maxfilesize="1024k"

The configuration file is fully commented so you should be able to make out most options but here are my changes.

email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.

email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.

quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

maxfilesize
The maximum file size for a file to be included in scan search results. Malware usualy is not over 1MB.

Run maldetect in monitor mode

If you want to run LMD in monitor mode edit /usr/local/maldetect/maldetfilelist and add your paths you want to monitor.

vi /usr/local/maldetect/maldetfilelist

Run maldetect in monitor mode:

/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

To run it on boot edit /etc/rc.local and add the line above.

Linux Malware Detecthttps://www.rfxn.com/projects/linux-malware-detect/

Nikola Stojanoski

System Administrator and Developer. Giving back to the community by blogging about my problems, solutions and practical howto's.