Kirk Ismay

Just another WordPress hacker...

Review of Linux Malware Detect

by

Linux Malware Detect is an open source malware scanner designed to detect threats found in a shared web hosting environment. It’s signature based, sharing the same virus definition format as ClamAV. It will actually use clamscan, if available, as the scanning engine for increased performance. It can also clean up infected HTML or PHP files in some cases.  I’ve installed it on both a Debian Lenny server and a CentOS 5.7 system, with no difficulty.

Installation

Installing Linux Malware Detect:

$ cd /usr/src
$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar zxvf maldetect-current.tar.gz
$ cd maldetect-1.4.1
$ sudo ./install.sh

First Scan

By default, maldet installs a cron job to /etc/cron.daily/.  This cron job will scan common web site directories each day for files created in the last 2 days.  It looks for the presence of installed hosting control panels and scans accordingly.  Review this file and ensure it will work in your environment.  It can also be set up to scan new files on demand through either inotify or modsecurity for Apache.

Since it only scans the most recent files, its a good idea to do a full scan by hand:

$ sudo /usr/local/maldetect/maldet -b -a /var/www/vhosts/

To follow the progress, watch the scan log like this:

$ sudo tail -f /usr/local/maldetect/event_log
Jul 19 10:38:38 www4 maldet(19848): {scan} launching scan of /var/www/vhosts/ to background, see /usr/local/maldetect/event_log for progress
Jul 19 10:38:39 www4 maldet(19848): {scan} signatures loaded: 9649 (7782 MD5 / 1867 HEX)
Jul 19 10:38:39 www4 maldet(19848): {scan} building file list for /var/www/vhosts/, this might take awhile...
Jul 19 10:39:07 www4 maldet(19848): {scan} file list completed, found 56291 files...
Jul 19 10:39:07 www4 maldet(19848): {scan} found ClamAV clamscan binary, using as scanner engine...
Jul 19 10:39:07 www4 maldet(19848): {scan} scan of /var/www/vhosts/ (56291 files) in progress...
Jul 19 10:39:32 www4 maldet(19848): {scan} scan completed on /var/www/vhosts/: files 56291, malware hits 0, cleaned hits 0
Jul 19 10:39:32 www4 maldet(19848): {scan} scan report saved, to view run: maldet --report 071912-1038.19848

Wrapping Up

Linux Malware Detect does what it says on the tin. It’s a valuable addition to a sysadmin’s toolbox if you’ve got any public facing linux web servers.

css.php