Install maldetect Linux Malware Detect on CentOS/RHEL, Debian, Ubuntu

Overview

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.
The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating. Source http://www.rfxn.com/projects/linux-malware-detect/

Install maldetect Linux Malware Detect on CentOS/RHEL, Debian, Ubuntu

Download the latest release and untar it


# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz

Change to the maldetect directory and run the install script.


# cd maldetect-*
# ./install.sh

The installer will update the signature set and will install the following files

config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

To update the program version


# maldet --update-ver

The signature gets updated daily, refer the madlet file under cron.daily however if you wish to update the signature manually execute.


# maldet --update

Next lets configure email alerts and some other features of maldet like if we want it to quarantine any malware found and send us an alert.


# vi /usr/local/maldetect/conf.maldet

Make these changes according to your environment, replace email_addr to your email address.


email_alert=1
email_subj="maldet alert from maldet@linuxdrops.com"
email_addr="ryan@linuxdrops.com"
quar_hits=1
maxfilesize="10240k"

The maldet script under cron.daily has some default configuration that can be changed as per your environment. By default it will check for new definitions, send daily inotify alerts to the email address defined in the conf file, scan for file changes over the last 2 days on /home?/?/public_html (? being wildcard) if inotify isn’t running

maldet can be started as a daemon in monitor mode which will actively monitor the directories. The monitor flag can take three options.

-m, --monitor USERS|PATHS|FILE
If USERS is specified, monitor user homedirs for UID's > 500 e.g: maldet --monitor users

If FILE is specified, paths will be extracted from file, line spaced e.g: maldet --monitor /root/monitor_paths

If PATHS are specified, must be comma spaced list, NO WILDCARDS! e.g: maldet --monitor /home/mike,/home/ashton

I wish to monitor /opt, /sbin and /var/ directories so would start maldet in real time monitor mode like this


# maldet -m /opt,/var,/sbin

If you get an error just like this

“{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.”

Install any of the following packages and try again.


# yum install glibc.i686

or


# yum install glibc.i386

maldet01 300x176 Install maldetect Linux Malware Detect on CentOS/RHEL, Debian, Ubuntu