It is very common these days, when a vulnerable website gets exploited and used for malicious activities by attackers. Especially when having a "shared hosting" environment you may get used to discovering a new kind of malware on a daily basis. Here I'm going to present one of these tools, which is worth using in that malware hunting.

The Linux Malware Detect - what is?

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion    detection systems to extract malware that is actively being used in attacks and generates signatures for      detection. In addition, threat data is also derived   from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches,   they are also easily exported to any number of detection tools such as ClamAV.

The Maldetect is reach of features like updating signature database,  scanning only recently modified/added files, real time monitoring using inotify syscall, quarantine, full reporting etc. Now lets get a more closer look on it.


Download and unpack the current version.

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -xfz maldetect-current*gz

Enter unpacked archive and exec the script installer.

# cd maldetect* 
# ./install.sh
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(20604): {sigup} performing signature update check...
maldet(20604): {sigup} local signature set is version 201205035915
maldet(20604): {sigup} new signature set (2015083112245) available
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
maldet(20604): {sigup} signature set update completed
maldet(20604): {sigup} 10822 signatures (8908 MD5 / 1914 HEX)

During the installation, the maldetect will update itself, if there are available updates.


To perform a scan in a foreground of a particular directory, use the following example.

/usr/local/sbin/maldet -a /dir/to/scan



To have periodically scanned directories, see the daily maldet script located in /etc/cron.daily/.   

Also it's a nice idea to send maldetect's report to an email right after the scans run. 

mail -s 'Maldetect daily report' [email protected] < /usr/local/maldetect/sess/session.last

The session.last is the most recent report of maldet run. Of course older reports should be there also available.

Normally maldetect do not move the "affected" files into quarantine - that feature must be explicitly enabled in the conf.maldet file.

Example run - make maldet scan a directory containing suspicious files.

Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(24883): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX)
maldet(24883): {scan} building file list for /root/tmp_quarentine, this might take awhile...
maldet(24883): {scan} file list completed, found 51 files...
maldet(24883): {scan} 51/51 files scanned: 49 hits 0 cleaned
maldet(24883): {scan} scan completed on /root/tmp_quarentine: files 51, malware hits 49, cleaned hits 0
maldet(24883): {scan} scan report saved, to view run: maldet --report 092215-0047.24883
maldet(24883): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 092215-0047.24883

And that's it! For more info about Linux Malware Detect please see its help/man/ and/or visit its website

Currently unrated


There are currently no comments

New Comment


required (not published)