Debian malware detection with Maldetect
If you host multiple websites this tutorial will help you setup Debian malware detection tool to easy find websites that has been compromised instead of getting reports that your server is hosting them.
On a Debian system Linux Malware Detect will not run out of the box in monitor mode but scan mode works fine.
Prepare your Debian Server and install LMD
Linux Malware Detect comes with a 32-bit inotifywait binary and associated libinotifytools library. Debian Wheezy will not run 32-bit binaries out of the box.
We’ll first need to install the inotify-tools and libinotifytools0 packages which will put 64-bit versions of inotify on the system. Also sed to easy change configuration files.
apt-get install inotify-tools libinotifytools0 sed
Get the latest maldetect version:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzvf maldetect-current.tar.gz cd maldetect-*
Now modify the install.sh script NOT to use LMD inotify tools
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh
Modify the internals.conf to use the Debian inotifywait
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf
Now you can run the install.sh script
./install.sh
You should have this output:
Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <[email protected]> (C) 2013, Ryan MacDonald <[email protected]> inotifywait (C) 2007, Rohan McGovern <[email protected]> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(2988): {sigup} performing signature update check... maldet(2988): {sigup} local signature set is version 201205035915 maldet(2988): {sigup} new signature set (2014101812009) available maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb maldet(2988): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz maldet(2988): {sigup} signature set update completed maldet(2988): {sigup} 11791 signatures (9899 MD5 / 1892 HEX)
Modify the LMD for usage with ISPConfig
Modify the /etc/cron.daily/maldet to scan the websites hosted with ISPConfig
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\ elif [ -d "/usr/local/ispconfig" ]; then\ # ispconfig\ /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' /etc/cron.daily/maldet
Change the Linux Malware Detect config parameters
This are the parameters that i change:
vi /usr/local/maldetect/conf.maldet
email_alert=1 email_addr="[email protected]" quar_hits=1 maxfilesize="1024k"
The configuration file is fully commented so you should be able to make out most options but here are my changes.
email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.
email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.
quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
maxfilesize
The maximum file size for a file to be included in scan search results. Malware usualy is not over 1MB.
Run maldetect in monitor mode
If you want to run LMD in monitor mode edit /usr/local/maldetect/maldetfilelist and add your paths you want to monitor.
vi /usr/local/maldetect/maldetfilelist
Run maldetect in monitor mode:
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
To run it on boot edit /etc/rc.local and add the line above.
Linux Malware Detect: https://www.rfxn.com/projects/linux-malware-detect/