What is Malware?
Malware is called malicious software, script or code which is created and used by hackers to retrieve information of private data or gain access to any private computer systems. Malware can be trojans, viruses, spyware, adware, rootkits or any other malicious programs which can be very harmful to any computer user.
What is Linux Malware Detect (LMD)?
Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments. For more information and features visit athttp://www.rfxn.com/projects/linux-malware-detect/.
Installing Linux Malware Detect (LMD) in RHEL, CentOS and Fedora
Step 1: Downloading Linux Malware Detect (LMD)
Downloading latest LMD package using following wget command.
# cd /tmp # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Step 2: Installing LMD
Installation and Configuration of LMD is a bit easy task, just follow below steps as root user.
# tar xfz maldetect-current.tar.gz # cd maldetect-* # ./install.sh
Sample Output
Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(3092): {sigup} performing signature update check... maldet(3092): {sigup} local signature set is version 201205035915 maldet(3092): {sigup} new signature set (2012071115632) available maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz maldet(3092): {sigup} signature set update completed maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)
Step 3: Configuring LMD
By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.
- email_alert : If you would like to receive email alerts, then it should be set to 1.
- email_subj : Set your email subject here.
- email_addr : Add your email address to receive malware alerts.
- quar_hits : The default quarantine action for malware hits, it should be set 1.
- quar_clean : Cleaing detected malware injections, must set to 1.
- quar_susp : The default suspend action for users wih hits, set it as per your requirements.
- quar_susp_minuid : Minimum userid that can be suspended.
Open file /usr/local/maldetect/conf.maldet and make changes according to your needs.
# vi /usr/local/maldetect/conf.maldet
Sample Configuration
Here is the my sample configuration file.
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=1 # The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="[email protected]" # Ignore e-mail alerts for reports in which all hits have been cleaned. # This is ideal on very busy servers where cleaned hits can drown out # other more actionable reports. email_ignore_clean=0 ## # [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=1 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1 # The default suspend action for users wih hits # Cpanel suspend or set shell /bin/false on non-Cpanel # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = suspend account] quar_susp=0 # minimum userid that can be suspended quar_susp_minuid=500
Step 4: Manual Scans and Usage
If you would like to scan user’s Home directory, then simply issue following command.
# maldet --scan-all /home
You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.
# maldet --quarantine SCANID OR # maldet --clean SCANID
Step 5: Daily Scans
By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.
# vi /etc/cron.daily/maldet
If you like this article, please share with your friends and do leave comments.