Scanning for malware with Linux Malware Detect (LMD)

Posted:  May 14th, 2016

 

Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website. It will help you do detect infected websites and clean the infection, however securing the compromised user or website is still necessary to avoid re-infection.

 

If the server has cPanel , we recommend you install ClamAV first, as maldet will use the ClamAV scan engine. ClamAV installation instructions are available here.

 

You will need to be logged in as root to the server over SSH.

 

1)  Install maldet

 

cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh

 

This will automatically install a cronjob inside /etc/cron.daily/maldet so a daily scan will be run for local cPanel or Plesk accounts.

 

2)  Make sure to update to the latest version and virus signatures:

 

    maldet -d && maldet -u

 

3)  Run the first scan manually

 

To scan a specific user's home directory, run the following command:

 

     maldet -a /home/user

 

To launch a background scan for all user's public_html and public_ftp in all home directories, run the following command:

 

   maldet -b --scan-all /home?/?/public_?

 

 

(We also recommend you to scan /tmp and /dev/shm/)

 

4)  Verify the scan report

 

We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.

 

List all scan reports time and SCANID:

 

    maldet --report list

 

Show a specific report details :

 

    maldet --report SCANID

 

Show all scan details from log file:

 

    grep "{scan}" /usr/local/maldetect/event_log

 

 

5)  Clean the malicious files

 

By default the quarantine is disabled. You will have to launch it manually.

 

    maldet -q SCANID

 

6)  (optional) Automatically quarantine detected malware

 

Please review these configuration variables in /usr/local/maldetect/conf.maldet

variable     value     description

quar_hits     number     if the number is different than 0, enables automatic quarantine

 

7)  (optional) Configure scan reports e-mail alerts

 

Maldet can send you and email alert each time it detects malware. Please review these configuration variables in /usr/local/maldetect/conf.maldet

variable     value     description

email_alert     1 or 0     enable or disable e-mail alerts

email_addr      e-mail address      target e-mail for notifications, should be put in quotes like: "myuser@mydomain.com"

 

More information is available: /usr/local/maldetect/conf.maldet or https://www.rfxn.com/projects/linux-malware-detect/