What is Maldet?

Linux Malware Detect often abbreviated as LMD or maldet, is a software package that looks for malware on Linux systems and reports on it. Traditionally, Linux systems are generally regarded as very well-protected against, but not immune to, computer viruses and other malware.
Maldet is a commonly used abbreviation for Linux Malware Detect (LMD), a malware scanner for Linux released under the GNU GPLv2 license.
What makes Maldet unique, is that it is designed around the threats faced in shared hosting environments. Maldet works by using threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Step 1: Updating the Packages

First, make sure the packages are up-to-date. To do so, run the command below:

$ yum -y update

Step 2: Installing Linux Malware Detect

Go to the official Linux Malware Detect page and download the software to your server:

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Open the already downloaded Linux Malware file:

$ tar xfz maldetect-current.tar.gz

You can change the current directory with the command below:

$ cd maldetect-*

Now run the file to install the script:

$./install.sh

Once the installation process is complete, you should have the output below:

Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@r-fx.org> (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(2063): {sigup} performing signature update check…
maldet(2063): {sigup} local signature set is version 201907043616
maldet(2063): {sigup} new signature set 202003044235 available
maldet(2063): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(2063): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(2063): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(2063): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(2063): {sigup} verified md5sum of maldet-clean.tgz
maldet(2063): {sigup} unpacked and installed maldet-clean.tgz
maldet(2063): {sigup} signature set update completed
maldet(2063): {sigup} 17028 signatures (14208 MD5 | 2035 HEX | 785 YARA | 0 USER)

Step 3: Configuring LMD

Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet and it can be modified as per the requirements below:

$ nano /usr/local/maldetect/conf.maldet

The default file in your system should look like this:

##
# Linux Malware Detect v1.6.4
# (C) 2002-2019, R-fx Networks <proj@r-fx.org> # (C) 2019, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##
# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using ‘–report SCANID user@domain.com’.
# [0 = disabled, 1 = enabled]
email_alert=”0″
# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr=”you@domain.com”
# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean=”1″
# Enable or disable slack alerts, this will upload the scan report as a file
# into one or more slack channels
# [0 = disabled, 1 = enabled]
slack_alert=”0″
# The file name of the file that will be uploaded to slack channel(s)
slack_subj=”maldet alert from $(hostname)”
# Slack authentication token.
# Requires scope: files:write:user
# more information https://api.slack.com/methods/files.upload
slack_token=”AUTH_TOKEN”
# Comma-separated list of channel names or IDs
# where the scan report will be shared.
slack_channels=”maldetreports”
# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures=”1″
# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version=”1″
# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed=”1″
# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days=”21″
# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan=”1″
# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url=””
# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire=”43200″
# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url=””
import_custsigs_hex_url=””
##
# [ SCAN OPTIONS ]
##
# The maximum directory depth that the scanner will search, a value
# of 10-15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth=”15″
# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize=”24″
# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize=”2048k”
# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth=”65536″
# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo=”1″
# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth=”524288″
# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan=”1″
# Include the scanning of known temporary world-writable paths for
# -a|–al and -r|–recent scan types.
scan_tmpdir_paths=”/tmp /var/tmp /dev/shm /var/fcgi_ipc”
# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate ‘pub/’ with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access=”0″
# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice=”19″
# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice=”6″
# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the ‘cpulimit’ binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 – 800, 12 cores 0 – 1200 etc…
scan_cpulimit=”0″
# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root=”1″
# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user=””
scan_ignore_group=””
# The maximum amount of time, in seconds, that the ‘find’ file list generation
# will run before it is terminated. All ‘find’ results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# ‘-co|–config-option’ CLI option, such as:
# “maldet -co scan_find_timeout=0 -a /home/?/public_html”.
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout=”0″
# The ‘-r|–recent’ ‘find’ operation performed by LMD detects recently created/modifed
# user files. This ‘find’ operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to ‘/usr/local/maldetect/tmp/find_results.last’
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist=”0″
##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits=”0″
# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean=”0″
# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user=”0″
# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid=”500″
# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error=”1″
##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either ‘users’ or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when ‘/etc/sysconfig/maldet’ or ‘/etc/default/maldet’ is
# present with a defined value for $MONITOR_MODE.
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of $default_monitor_mode. The service will fail to
# start if a value is not provided.
default_monitor_mode=”users”
# default_monitor_mode=”/usr/local/maldetect/monitor_paths”
# The base number of files that can be watched under a path,
# this ends up being a relative value per-user in user mode.
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches=”16384″
# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved.
inotify_sleep=”15″
# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports and user signatures.
inotify_reloadtime=”3600″
# The minimum userid that will be added to path monitoring when
# the USERS option is specified.
inotify_minuid=”500″
# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot=”public_html,public_ftp”
# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
inotify_cpunice=”18″
# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice=”6″
# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the ‘cpulimit’ binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 – 800, a 12 cores system would accept 0 – 1200 etc…
inotify_cpulimit=”0″
# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your ‘event_log’ file, intended only for debugging purposes.
inotify_verbose=”0″
##
# [ STATISTICAL ANALYSIS ]
# This is an EXPERIMENTAL feature and should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan=”0″ # [ 0 = disabled, 1 = enabled ]
string_length=”150000″ # [ max string length ]

Now change the settings below:
email_alert=1 – If you want to receive email alerts
email_addr=”user@yourdomain.tld” – Type the address where you want to receive the malware email alerts
quarantine_hits=1 t for malware hits
quarantine_clean=1 – Clears the detected malware injections

Step 4: Set CronJob for Auto Scanning

In the installation process, a cron job file is installed in /etc/cron.daily/maldet.
These files installed by LMD are useful in keeping the current session, performing daily updates of the signature files, temp, as well as store quarantine data for not more than two weeks or 14 days. It runs a daily scan of all recent files on the system.
To ensure these files are compatible with the structure of your server and those in the Cron file, check the control panel and make the necessary changes.

#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath=’/usr/local/maldetect’
intcnf=”$inspath/internals/internals.conf”
if [ -f “$intcnf” ]; then
source $intcnf
else
echo “\$intcnf not found.”
exit 1
fi
if [ -f “$cnf” ]; then
source $cnf
if [ -f “$compatcnf” ]; then
source $compatcnf
fi
else
echo “could not find \$cnf, fatal error, bye.”
exit 1
fi
if [ -f “/etc/sysconfig/maldet” ]; then
. /etc/sysconfig/maldet
elif [ -f “/etc/default/maldet” ]; then
. /etc/default/maldet
fi
if [ -f “$cron_custom_conf” ]; then
. $cron_custom_conf
fi
if [ -z “$scan_days” ]; then
scan_days=1
fi
if [ -z “$cron_prune_days” ]; then
cron_prune_days=21
fi
if [ “$find” ]; then
# prune any quarantine/session/tmp data older than 7 days
tmpdirs=”$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub”
for dir in $tmpdirs; do
if [ -d “$dir” ]; then
$find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
fi
done
fi
if [ “$autoupdate_version” == “1” ] || [ “$autoupdate_signatures” == “1” ]; then
# sleep for random 1-999s interval to better distribute upstream load
sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi
if [ “$autoupdate_version” == “1” ]; then
# check for new release version
$inspath/maldet -d >> /dev/null 2>&1
fi
if [ “$autoupdate_signatures” == “1” ]; then
# check for new definition set
$inspath/maldet -u >> /dev/null 2>&1
fi
# if we’re running inotify monitoring, send daily hit summary
if [ “$(ps -A –user root -o “cmd” | grep -E maldetect | grep -E inotifywait)” ]; then
$inspath/maldet –monitor-report >> /dev/null 2>&1
elif [ “$cron_daily_scan” == “1” ]; then
if [ -d “/home/virtual” ] && [ -d “/usr/lib/opcenter” ]; then
# ensim
$inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
elif [ -d “/etc/psa” ] && [ -d “/var/lib/psa” ]; then
# psa
$inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
elif [ -d “/usr/local/directadmin” ]; then
# DirectAdmin
$inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
elif [ -d “/var/www/clients” ]; then
# ISPConfig
$inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1
elif [ -d “/etc/webmin/virtual-server” ]; then
# Virtualmin
$inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
elif [ -d “/usr/local/ispmgr” ] || [ -d “/usr/local/mgr5” ]; then
# ISPmanager
$inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
elif [ -d “/var/customers/webs” ]; then
# froxlor
$inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
elif [ -d “/usr/local/vesta” ]; then
# VestaCP
$inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
elif [ -d “/usr/share/dtc” ]; then
# DTC
if [ -f /var/lib/dtc/saved_install_config ]; then
. /var/lib/dtc/saved_install_config
fi
$inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
else
# cpanel, interworx and other standard home/user/public_html setups
$inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
fi
fi
if [ -f “$cron_custom_exec” ]; then
. $cron_custom_exec
fi

To active the email alerts once a malware is detected, open the Maldet configuration file that is found in /usr/local/maldetect/conf.maldet and type the following:

email_alert=1
email_subj=”Maldet alert from $(hostname)”
email_addr=”email@domain.com

Step 5: Manual Scanning

To scan a directory you want to use, run the command below:

$ maldet -a /path/to/directory

To ensure Maldet is up-to-date, run the command below:

$ maldet -u

You can see the details of the options available by running the following command:

$ maldet – h

Now Linux Malware Detect (LMD) is successfully installed.

Conclusion

Congratulations, LMD is now installed in CentOS 7 system and ready for use. Follow these steps and make the necessary edits to configure LMD to your needs.