Maldet Scan

Scanning for malware with Linux Malware Detect (LMD)

Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website. It will help you do detect infected websites and clean the infection, however securing the compromised user or website is still necessary to avoid re-infection.

If the server has cPanel , we recommend you install ClamAV first, as maldet will use the ClamAV scan engine. ClamAV installation instructions are available here.

You will need to be logged in as root to the server over SSH.

1 - Install maldet

cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh

This will automatically install a cronjob inside /etc/cron.daily/maldet so a daily scan will be run for local cPanel or Plesk accounts.


2 - Make sure to update to the latest version and virus signatures:

maldet -d && maldet -u


3 - Run the first scan manually

To scan a specific user's home directory, run the following command:

maldet -a /home/user


To launch a background scan for all user's public_html and public_ftp in all home directories, run the following command:

maldet -b --scan-all /home?/?/public_?


(We also recommend you to scan /tmp and /dev/shm/)

4 - Verify the scan report

We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.

List all scan reports time and SCANID:

maldet --report list


Show a specific report details :

maldet --report SCANID

 

Show all scan details from log file:

grep "{scan}" /usr/local/maldetect/event_log

 

5 - Clean the malicious files

By default the quarantine is disabled. You will have to launch it manually.

maldet -q SCANID


6 - (optional) Automatically quarantine detected malware

Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable     value     description
quar_hits     number     if the number is different than 0, enables automatic quarantine

7- (optional) Configure scan reports e-mail alerts

Maldet can send you and email alert each time it detects malware. Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable     value     description
email_alert     1 or 0     enable or disable e-mail alerts
email_addr      e-mail address      target e-mail for notifications, should be put in quotes like: "myuser@mydomain.com"

More information is available: /usr/local/maldetect/conf.maldet or https://www.rfxn.com/projects/linux-malware-detect/

 

 

Running full malware scan user home directories

First i suggest full scan user home directories to detect and clean malware:

The Bellow command will scan all files and directories within the /home directory, which is where the content for cPanel accounts is stored.

# maldet -a /home/?

Later you can only scan example all .php files. Command Below:

#maldet --include-regex ".*.php$" -a /home/?/public_html

Below is a sample output of what you should see:

root@server [~]# maldet -a /home/?
Linux Malware Detect v1.5.0
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
 
maldet(15196): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX)
maldet(15196): {scan} building file list for /home/*, this might take awhile...
maldet(15196): {scan} file list completed, found 1124974 files...
maldet(15196): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(15196): {scan} scan of /home/* (1124974 files) in progress...
 
maldet(15196): {scan} scan completed on /home/*: files 1124974, malware hits 0, cleaned hits 0
maldet(15196): {scan} scan report saved, to view run: maldet --report 013344-1347.5196
root@server [~]#
 
Was this answer helpful?

Related Articles

maldet installation

http://www.rfxn.com/projects/linux-malware-detect/ http://www.rfxn.com/appdocs/README.maldetect...

clamav scan

clamav scan mkdir /tmp/virus clamscan -ri --move=/tmp/virus /home/ When started...

maldet scan for spesific user

maldet scan for spesific user maldet --scan-all /home?/USER/public_html

view mail logs

view mail logs in order to view your mailogs tail -f /var/log/maillog tail -f...

phpshells check

phpshells check Code: freshclam; clamscan -ir /home/*/public_html/* | tee...