Why Maldet? This is one of the commonly using Malware detector for Linux servers. The installation and usages of Maldet is quit simple compared to other scanners.
It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
By using Maldet as your Linux server malware tool, you can simply find-out the infected files from the Linux file system. At the same time we can remove or quarantine the infected file to a different location automatically. Please refer to this link >> Maldet command switches << to get more ideas on how to manage Maldet via Linux CLI.
Installation & Usage of maldet (Malware Detect) on Linux
LMD : Linux Malware Detect is a Malware scanner for Linux servers. Here I’m explaining how to install & use this feature under a Linux based server.
1. How can I install Maldet on server ?
Installation steps are very simple and easy to do. Follow the steps below to install maldet on your server.
Step I: SSH to your server
Step II: Download the tar file and install it.
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -xzvf maldetect-current.tar.gz # cd maldetect-* # sh install.sh
That’s it. Installation completed.
2. configuration file ?
The configuration file for Maldet is located under /usr/local/maldetect/conf.maldet . Other important files are:
# exec file: /usr/local/maldetect/maldet # exec link: /usr/local/sbin/maldet # exec link: /usr/local/sbin/lmd # cron.daily: /etc/cron.daily/maldet
3. How to USE maldet ?
# maldet -a /path/to/scan OR maldet --scan-all /path/to/scan
3.2 View the scan report
# maldet -e SCAN ID # maldet --report SCAN ID
3.3 Quarantine all malware results from a previous scan
# maldet -q SCAN ID # maldet –quarantine SCANID
3.4 Clean on all malware results from a previous scan
# maldet -n SCAN ID # maldet --clean SCAN ID
3.5 Restore a file that you have already quarantined
# maldet -s FILENAME # maldet --restore FILENAME
Sometime it is not possible to restore by using the file name only. In such condition use the full path where the quarantined files stored, ie /usr/local/maldetect/quarantine
# maldet --restore /usr/local/maldetect/quarantine/FILENAME
4. How to setup Email Alert on Maldet?
Open the configuration file (/usr/local/maldetect/conf.maldet) using your favorite editor (vi, vim, nano etc…) and follow the setting below:
----------------Email Alert---------------- #[0 = disabled, 1 = enabled] email_alert=0 #The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="firstname.lastname@example.org" --------------------------------------------
Other useful Maldet options:
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.
That’s it, have fun with Maldet. 🙂