installing-using-linux-malware-detect-lmd-linux-cpanel

Installing and using Linux Malware Detect(LMD) in Linux Operating Systems with CPanel

Installing and using Linux Malware Detect(LMD) in Linux Operating Systems with CPanel

Managing the Servers with the website in shared hosting is a hard task.

One night, you made all the configurations and editing the wordpress for all night, after you are happy with the customization you went to sleep at 6AM, You wakeup and hasĀ  lunch and came back to see your site. GOD DAM*T your site shows site is hacked by some ash**se

I know its frustrating to see such hard work is been harmed by malware and shell scripts executed through php.

To overcome this kind of issue, You have (LMD)Linux Malware Detect to scan and detect such infected files.

Now, we will go for the steps to install the Linux Malware Detect LMD. this can co-exist with cpanel without any issues.

First make a directory to store the installation files of LMD.

root@earn [~] mkdir /root/install/maldetect/

Change the directory to the created folder.

root@earn [~]# cd /root/install/maldetect/

We can now download the LMD by the below commands.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

root@earn [~/install/maldetect]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz--2015-04-17 05:57:08--  http://www.rfxn.com/downloads/maldetect-current.tar.gzHTTP request sent, awaiting response... 200 OKLength: 1762295 (1.7M) [application/x-gzip]Saving to: maldetect-current.tar.gz100%[======================================>] 1,762,295   1.62M/s   in 1.0s    2015-04-17 05:57:09 (1.62 MB/s) - maldetect-current.tar.gz saved [1762295/1762295]

Extract the files now.

root@earn [~/install/maldetect]# tar -xvf maldetect-current.tar.gz

Use the Below command to execute the Installtion.

root@earn [~/install/maldetect/maldetect-1.4.2]# ./install.sh

root@earn [~/install/maldetect/maldetect-1.4.2]# ./install.sh Linux Malware Detect v1.4.2            (C) 2002-2013, R-fx Networks             (C) 2013, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPLinstallation completed to /usr/local/maldetectconfig file: /usr/local/maldetect/conf.maldetexec file: /usr/local/maldetect/maldetexec link: /usr/local/sbin/maldetexec link: /usr/local/sbin/lmdcron.daily: /etc/cron.daily/maldetmaldet(17010): {sigup} performing signature update check...maldet(17010): {sigup} local signature set is version 201205035915maldet(17010): {sigup} new signature set (201504066258) availablemaldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.datmaldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.datmaldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndbmaldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdbmaldet(17010): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgzmaldet(17010): {sigup} signature set update completedmaldet(17010): {sigup} 10749 signatures (8838 MD5 / 1911 HEX)

Now, we need to edit the (LMD) Linux Malware Detect configuration file and edit few options to work completely.
this file is located at /usr/local/maldetect/conf.maldet

use nano editor and open the file.
# nano /usr/local/maldetect/conf.maldet

I am going to just write the required options, which you need to update.
1. email_alert
2. email_subj
3. email_addr
4. quar_hits
5. quar_clean

# The default email alert toggle# [0 = disabled, 1 = enabled]email_alert=1# The subject line for email alertsemail_subj="maldet alert from $(hostname) - $(date +%Y-%m-%d)"# The destination addresses for email alerts# [ values are comma (,) spaced ]email_addr="user@earneasy.net"# The default quarantine action for malware hits# [0 = alert only, 1 = move to quarantine & alert]quar_hits=1# Try to clean string based malware injections# [NOTE: quar_hits=1 required]# [0 = disabled, 1 = clean]quar_clean=1# Attempt to detect the presence of ClamAV clamscan binary# [ 0 = disabled, 1 = enabled; enabled by default ]clamav_scan=1

Once this configuration is done, use CTRL + O to write the changes and exit using CTRL + X

Now, we are going to do a scan.
(I used an account which already has infected files, which customer moved today)

root@earn [~]# maldet --scan-all /home/username/Linux Malware Detect v1.4.2            (C) 2002-2013, R-fx Networks             (C) 2013, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL v2maldet(23098): {scan} signatures loaded: 10749 (8838 MD5 / 1911 HEX)maldet(23098): {scan} building file list for /home/username/, this might take awhile...maldet(23098): {scan} file list completed, found 1868 files...maldet(23098): {scan} 1868/1868 files scanned: 7 hits 0 cleanedmaldet(23098): {scan} scan completed on /home/username/: files 1868, malware hits 7, cleaned hits 0maldet(23098): {scan} scan report saved, to view run: maldet --report 041715-0605.23098maldet(23098): {alert} sent scan report to user@basetech.net

On the above scan, the report id is 041715-0605.23098 and the infected files are moved to quarantine
You can view the result by typing.

# maldet –report 041715-0605.23098

You can now delete the infected files either by delete the files on the quarantine or maldet –clean 041715-0605.23098

root@earn [~]# rm -rf /usr/local/maldetect/quarantine/*

or

root@earn [~]# maldet --clean 041715-0605.23098

The Final part, adding the automated jobs to cron.

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.