It is very common these days, when a vulnerable website gets exploited and used for malicious activities by attackers. Especially when having a "shared hosting" environment you may get used to discovering a new kind of malware on a daily basis. Here I'm going to present one of these tools, which is worth using in that malware hunting.
The Linux Malware Detect - what is?
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.
The Maldetect is reach of features like updating signature database, scanning only recently modified/added files, real time monitoring using inotify syscall, quarantine, full reporting etc. Now lets get a more closer look on it.
Download and unpack the current version.
$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -xfz maldetect-current*gz
Enter unpacked archive and exec the script installer.
# cd maldetect*
# ./install.sh
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(20604): {sigup} performing signature update check...
maldet(20604): {sigup} local signature set is version 201205035915
maldet(20604): {sigup} new signature set (2015083112245) available
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
maldet(20604): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
maldet(20604): {sigup} signature set update completed
maldet(20604): {sigup} 10822 signatures (8908 MD5 / 1914 HEX)
During the installation, the maldetect will update itself, if there are available updates.
To perform a scan in a foreground of a particular directory, use the following example.
/usr/local/sbin/maldet -a /dir/to/scan
where:
[-a|--scan-all]
To have periodically scanned directories, see the daily maldet script located in /etc/cron.daily/.
Also it's a nice idea to send maldetect's report to an email right after the scans run.
mail -s 'Maldetect daily report' [email protected] < /usr/local/maldetect/sess/session.last
The session.last is the most recent report of maldet run. Of course older reports should be there also available.
Normally maldetect do not move the "affected" files into quarantine - that feature must be explicitly enabled in the conf.maldet file.
Example run - make maldet scan a directory containing suspicious files.
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(24883): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX)
maldet(24883): {scan} building file list for /root/tmp_quarentine, this might take awhile...
maldet(24883): {scan} file list completed, found 51 files...
maldet(24883): {scan} 51/51 files scanned: 49 hits 0 cleaned
maldet(24883): {scan} scan completed on /root/tmp_quarentine: files 51, malware hits 49, cleaned hits 0
maldet(24883): {scan} scan report saved, to view run: maldet --report 092215-0047.24883
maldet(24883): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 092215-0047.24883
And that's it! For more info about Linux Malware Detect please see its help/man/ and/or visit its website.
Share on Twitter Share on Facebook
Comments
There are currently no comments
New Comment