Maldet command switches, that’s what we are discussing today in this blog article. The Maldet is a commonly using malware detector for Linux based server. The installation and usage of maldet is quite simple.

We have already discussed about the Maldet installation steps on Linux server. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

It would be a useful topic, if you are managing Linux based server with different domains. In some cases, the domains hosted on your server (that may be a shared one or your VPS), may affect malware threads.

In normal case, it’s a hard thing to figure it out the malware infected files and directories.

By using Maldet we can simply list the infected files. At the same time we can remove or quarantine the infected file to a different location.

A lot of switches and options are available with Maldet. Here I am explaining all the switches/options of maldet with example.

Syntax:

# maldet [options] /path/to/scan

Important switches of maldet:

maldet command switches

1, -b, –background

Execute operations in the background, ideal for large scans

Example:

[[email protected] ~]# maldet -b -r /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9922): {scan} launching scan of /home/crybit/ changes in last 7d to background, see /usr/local/maldetect/event_log for progress

2, -u, –update

Update malware detection signatures from rfxn.com

3, -d, –update-ver

Update the installed version from rfxn.com

Example:

[[email protected] ~]# maldet -d
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9997): {update} checking for available updates...
maldet(9997): {update} hashing install files and checking against server...
maldet(9997): {update} version check shows latest but hash check failed, forcing update...
maldet(9997): {update} completed update v1.4.2 => v1.4.2, running signature updates...
maldet(10289): {sigup} performing signature update check...
maldet(10289): {sigup} local signature set is version 201402051649
maldet(10289): {sigup} latest signature set already installed
maldet(9997): {update} update and config import completed.

4, -m, –monitor USERS|PATHS|FILE

Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID’s > 500
If FILE is specified, paths will be extracted from file, line spaced. When PATHS are specified, must be comma spaced list, NO WILDCARDS!

e.g: maldet –monitor users

Other example:

e.g: maldet –monitor /root/monitor_paths

Next one:

e.g: maldet –monitor /home/mike,/home/ashton

Example:

[[email protected] ~]# maldet -m /home/crybit/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(10347): {mon} set inotify max_user_instances to 128
/usr/local/sbin/maldet: line 1162: /proc/sys/fs/inotify/max_user_instances: Permission denied
maldet(10347): {mon} set inotify max_user_watches to 0
/usr/local/sbin/maldet: line 1164: /proc/sys/fs/inotify/max_user_watches: Permission denied
maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(10347): {mon} inotify startup successful (pid: 10422)
maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

5, -k, –kill

Terminate inotify monitoring service

Example:

[[email protected] ~]# maldet -k
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(10471): {mon} sent kill to monitor service

6, -r, –scan-recent PATH DAYS

Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2

7, -a, –scan-all PATH

Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html

8, -c, –checkout FILE

Upload suspected malware to rfxn.com for review & hashing into signatures

9, -l, –log

View maldet log file events.

Example:

[[email protected] ~]# maldet -l
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

Feb 06 02:38:28 jishnu maldet(10347): {mon} set inotify max_user_watches to 0
Feb 06 02:38:28 jishnu maldet(10347): {mon} added /home/crybit/ to inotify monitoring array
Feb 06 02:38:28 jishnu maldet(10347): {mon} starting inotify process on 1 paths, this might take awhile...
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify startup successful (pid: 10422)
Feb 06 02:38:30 jishnu maldet(10347): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log
Feb 06 02:39:43 jishnu maldet(10471): {mon} sent kill to monitor service
Feb 06 02:40:00 jishnu maldet(10347): {mon} monitoring terminated by user, inotify killed.
Feb 06 02:41:00 jishnu maldet(10550): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:00 jishnu maldet(10550): {scan} building file list for /home/crybit/ of new/modified files from last 1 days, this might take awhile...
Feb 06 02:41:00 jishnu maldet(10550): {scan} scan returned zero results, please increase days range or provide a new path.
Feb 06 02:41:11 jishnu maldet(10615): {scan} signatures loaded: 11552 (9668 MD5 / 1884 HEX)
Feb 06 02:41:11 jishnu maldet(10615): {scan} building file list for /home/crybit/ of new/modified files from last 2 days, this might take awhile...
Feb 06 02:41:11 jishnu maldet(10615): {scan} scan returned zero results, please increase days range or provide a new path.

10, -e, –report SCANID email

View scan report of most recent scan or of a specific SCANID and optionally e-mail the report to a supplied e-mail address.

e.g: maldet –report

Other optio:

e.g: maldet –report list

Another example:

e.g: maldet –report 050910-1534.21135

e.g: maldet –report SCANID [email protected]

11, -s, –restore FILE|SCANID

Restore file from quarantine queue to orginal path or restore all items from a specific SCANID
e.g: maldet –restore /usr/local/maldetect/quarantine/config.php.23754
e.g: maldet –restore 050910-1534.21135

12, -q, –quarantine SCANID

Quarantine all malware from report SCANID
e.g: maldet –quarantine 050910-1534.21135

13, -n, –clean SCANID

Try to clean & restore malware hits from report SCANID
e.g: maldet –clean 050910-1534.21135

14, -U, –user USER

Set execution under specified user, ideal for restoring from user quarantine or to view user reports.
e.g: maldet –user nobody –report
e.g: maldet –user nobody –restore 050910-1534.21135

15, -p, –purge

Clear logs, quarantine queue, session and temporary data.

That’s it!! 🙂 These are the main maldet command switches for Linux servers.

[Malware Detector] Installation & Usage of Maldet on Linux

Why Maldet? This is one of the commonly using Malware detector for Linux servers. The installation and usages of Maldet is quit simple compared to other scanners.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.