Linux Malware Detect (LMD) or maldet is an open-source malware detector for Linux operating systems. It is used to scan malware on servers, and also monitor and read the system parameters to detect unusual activities.
You will need to set up and install the required packages on the Ubuntu 20.04 server before the Linux Malware Detect installation.
To update and upgrade the Ubuntu 20.04 server, run the following commands.
root@noufserver:~# sudo apt update && sudo apt upgrade -y
Install the wget packages (if it is not installed on the server) by using the following command.
root@noufserver:~# sudo apt install wget -y
The pwd command gives you the entire file path of your current directory.
To change the current working directory, use the cd command followed by the file path of the desired directory.
root@noufserver:~# pwd
/root
root@noufserver:~# cd /tmp/
root@noufserver:/tmp# pwd
/tmp
root@noufserver:/tmp#
To download the latest Linux Malware Detect package, run the following command.
root@noufserver:/tmp# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Here is the output.
root@noufserver:/tmp# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2022-01-27 04:47:28-- http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com (www.rfxn.com)... 172.67.144.156, 104.21.28.71, 2606:4700:3034::6815:1c47, ...
Connecting to www.rfxn.com (www.rfxn.com)|172.67.144.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1549126 (1.5M) [application/x-gzip]
Saving to: 'maldetect-current.tar.gz'
maldetect-current.tar.gz 100%[=====================================================================================>] 1.48M 1.34MB/s in 1.1s
2022-01-27 04:47:30 (1.34 MB/s) - 'maldetect-current.tar.gz' saved [1549126/1549126]
To uncompress the .tar file, run the following command.
root@noufserver:/tmp# tar xfz maldetect-current.tar.gz
After the file is uncompressed, you are returned to the directory. Using the 11 command from the directory displays the files in that directory.
root@noufserver:/tmp# tar xfz maldetect-current.tar.gz
root@noufserver:/tmp#
root@noufserver:/tmp# ll
drwxr-xr-x 3 root root 4096 Jun 20 2019 maldetect-1.6.4/
-rw-r--r-- 1 root root 1549126 Jul 6 2019 maldetect-current.tar.gz
To change the current working directory to the extracted file, use the following command.
root@noufserver:/tmp# cd maldetect-1.6.4
Here is the complete output of the command, including the pwd command to confirm the directory and the 11 command to view the files in the directory.
root@noufserver:/tmp# cd maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# pwd
/tmp/maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# ll
total 128
drwxr-xr-x 3 root root 4096 Jun 20 2019 ./
drwxrwxrwt 13 root root 4096 Jan 27 04:48 ../
lrwxrwxrwx 1 root root 26 Jul 1 2016 .ca.def -> files/internals/importconf
-rw-r--r-- 1 root root 46407 Apr 15 2019 CHANGELOG
-rw-r--r-- 1 root root 3186 Apr 15 2019 CHANGELOG.RELEASE
-rw-r--r-- 1 root root 1491 Sep 10 2013 CHANGELOG.VARIABLES
-rw-r--r-- 1 root root 18093 Sep 10 2013 COPYING.GPL
-rw-r--r-- 1 root root 24188 Mar 16 2019 README
-rw-r--r-- 1 root root 76 Jan 8 2017 cron.d.pub
-rwxr-xr-x 1 root root 3777 Apr 15 2019 cron.daily*
drwxr-xr-x 8 root root 4096 Jul 6 2019 files/
-rwxr-xr-x 1 root root 6100 Mar 27 2019 install.sh*
Execute the Linux Malware Detect installation script by running the following command.
root@noufserver:/tmp/maldetect-1.6.4# ./install.sh
Here is the output.
root@noufserver:/tmp/maldetect-1.6.4# ./install.sh
Linux Malware Detect v1.6.4
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
imported config options from /usr/local/maldetect.last/conf.maldet
maldet(89728): {sigup} performing signature update check...
maldet(89728): {sigup} local signature set is version 201907043616
maldet(89728): {sigup} new signature set 20220122476998 available
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(89728): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(89728): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(89728): {sigup} verified md5sum of maldet-clean.tgz
maldet(89728): {sigup} unpacked and installed maldet-clean.tgz
maldet(89728): {sigup} signature set update completed
maldet(89728): {sigup} 17264 signatures (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
The syntax of the maldet command is as follows.
maldet [OPTION] [Directory Path]
The available maldet options are as follows.
-a (--scan-all ) - To scan all files in the path
-b (--background) - To execute operations in the background.
-c (--checkout ) - To upload suspected malware file to rfxn.com for review and hashing into signatures
-d (--update-ver) - To update the installed version.
-e (--report - To view the most recent scan or a particular scan ID and email scan report to the provided e-mail address
-h (--help) - To list all available maldet help options.
-l (--log) - To view maldet log file events.
-n (--clean - To clean & restore malware hits from the report.
-p (--purge) - To clear logs, session, and temporary data.
-q (--quarantine - To quarantine all malware from the report.
-r (--scan-recent - To scan the file those are created or modified in the last X days ( 7 days by default and ? for wildcard)
-s (--restore or - To restore the quarantined file from the quarantine queue to the original path or restore all quarantined files from a particular scan ID
-u (--update) - To update malware detection signatures.
Now that Linux Malware Detect is installed, you will need to configure the Linux Malware Detect configuration file for better performance. The Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet. Follow these steps to configure Linux Malware Detect.
Use the following command to open the Linux Malware Detect configuration file.
root@noufserver:~# vim /usr/local/maldetect/conf.maldet
Find the following lines in the Linux Malware Detect configuration file and update them as shown below. This configuration will help Linux Malware Detect successfully detect and delete malware threats.
# To enable the email notification.
email_alert="1"
# Email Address in which you want to receive scan reports
email_addr="[email protected]"
# Enable the LMD signature autoupdate.
autoupdate_signatures="1"
# Use with ClamAV
scan_clamscan="1"
# Enable the automatic updates of the LMD installation.
autoupdate_version="1"
# Enable the daily automatic scanning.
cron_daily_scan="1"
# Clean string based malware injections.
quarantine_clean="0"
# Suspend user if malware found.
quarantine_suspend_user="1"
# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"
# Allows non-root users to perform scans.
scan_user_access="1"
# Move hits to quarantine & alert
quarantine_hits="1"
# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"
Save the changes and exit the file by typing :wq and then press Enter.
Linux Malware Detect is compatible and performs better with ClamAV (Clam Antivirus), especially when scanning large file sets. ClamAV is an open-source antivirus engine to detect viruses, malware, & other common security issues.
Use the apt command to install ClamAV, as it is available in the base repository.
To install ClamAV, use the following syntax.
root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y
Here is the output.
root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
clamav-base clamav-freshclam libclamav9 libtfm1
Suggested packages:
libclamunrar clamav-docs daemon libclamunrar9
The following NEW packages will be installed:
clamav clamav-base clamav-daemon clamav-freshclam clamdscan libclamav9 libtfm1
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Once ClamAV is installed, you will need to update the ClamAV database before using the clamscan command to scan a file or data for vulnerabilities. You will also need to stop the clamav-freshclam service (if it is running) before updating the ClamAV database. Use the following command to stop the clamav-freshclam service.
root@noufserver:~# sudo systemctl stop clamav-freshclam
To update your ClamAV definition database by the following terminal command.
root@noufserver:~# sudo freshclam
Here is the output.
root@noufserver:~#sudo freshclam
Thu Jan 27 05:21:11 2022 -> ClamAV update process started at Thu Jan 27 05:21:11 2022
Thu Jan 27 05:21:11 2022 -> daily.cvd database is up-to-date (version: 26434, sigs: 1972740, f-level: 90, builder: raynman)
Thu Jan 27 05:21:11 2022 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Jan 27 05:21:11 2022 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Once the ClamAV definition database is updated, you can start clamav-freshclam service using the following command.
root@noufserver:~# sudo systemctl start clamav-freshclam
To enable ClamAV on boot, which can increase your security stance by booting the service automatically for you, use the following command.
root@noufserver:~# sudo systemctl enable clamav-freshclam
Here is the output.
root@noufserver:~# sudo systemctl enable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable clamav-freshclam
To disable ClamAV on boot, use the following command.
root@noufserver:~# sudo systemctl disable clamav-freshclam
Here is the output.
root@noufserver:~# sudo systemctl disable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable clamav-freshclam
Removed /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service.
Check test functionality of Linux Malware Detect by downloading sample virus signatures from the EICAR website.
Change the current working directory to /tmp and download the sample virus signatures from the EICAR website.
root@noufserver:~# cd /tmp
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar_com.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicarcom2.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com.txt
root@noufserver:~#
Here is the output.
root@noufserver:~# cd /tmp
root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com
--2022-01-27 06:31:33-- https://secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/x-msdownload]
Saving to: 'eicar.com'
eicar.com 100%[=====================================================================================>] 68 --.-KB/s in 0s
2022-01-27 06:31:34 (4.09 MB/s) - 'eicar.com' saved [68/68]
root@noufserver:/tmp# wget https://secure.eicar.org/eicar_com.zip
--2022-01-27 06:31:42-- https://secure.eicar.org/eicar_com.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 184 [application/zip]
Saving to: 'eicar_com.zip'
eicar_com.zip 100%[=====================================================================================>] 184 --.-KB/s in 0s
2022-01-27 06:31:43 (23.0 MB/s) - 'eicar_com.zip' saved [184/184]
root@noufserver:/tmp# wget https://secure.eicar.org/eicarcom2.zip
--2022-01-27 06:31:50-- https://secure.eicar.org/eicarcom2.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 308 [application/zip]
Saving to: 'eicarcom2.zip'
eicarcom2.zip 100%[=====================================================================================>] 308 --.-KB/s in 0s
2022-01-27 06:31:51 (12.1 MB/s) - 'eicarcom2.zip' saved [308/308]
root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2022-01-27 06:31:59-- https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: 'eicar.com.txt'
eicar.com.txt 100%[=====================================================================================>] 68 --.-KB/s in 0s
2022-01-27 06:31:59 (7.91 MB/s) - 'eicar.com.txt' saved [68/68]
root@noufserver:/tmp#
To scan the /tmp folder for malicious files, run the following command.
root@noufserver:~# maldet -a /tmp
Here is the output.
root@noufserver:~# maldet -a /tmp
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(16224): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(16224): {scan} building file list for /tmp, this might take awhile...
maldet(16224): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(16224): {scan} file list completed in 0s, found 96 files...
maldet(16224): {scan} scan of /tmp (96 files) in progress...
maldet(16224): {scan} 96/96 files scanned: 12 hits 0 cleaned
maldet(16224): {scan} scan completed on /tmp: files 96, malware hits 12, cleaned hits 0, time 17s
maldet(16224): {scan} scan report saved, to view run: maldet --report 220127-0714.16224
maldet(16224): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220127-0714.16224
Once the scan is completed, check the scan report by using the following command.
maldet --report
Here is the appropriate syntax of the command.
root@noufserver:~# maldet --report 220127-0714.16224
Here is the output.
HOST: noufserver
SCAN ID: 220127-0714.16224
STARTED: Jan 27 2022 07:14:56 +0000
COMPLETED: Jan 27 2022 07:15:13 +0000
ELAPSED: 17s [find: 0s]
PATH: /tmp
TOTAL FILES: 96
TOTAL HITS: 12
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 220127-0714.16224
FILE HIT LIST:
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
===============================================
Linux Malware Detect v1.6.4 < [email protected] >
If you set quarantine_hits=1, the listed malware files will quarantine to the specified directory. So, the output is the same as below.
root@noufserver:~# maldet -q 220127-0714.16224
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/sigs/rfxn.yara' to '/usr/local/maldetect/quarantine/rfxn.yara.283112035'
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.3214322411'
maldet(18389): {quar} malware quarantined from '/tmp/eicar_com.zip' to '/usr/local/maldetect/quarantine/eicar_com.zip.357324939'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com' to '/usr/local/maldetect/quarantine/eicar.com.1660021592'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com.txt' to '/usr/local/maldetect/quarantine/eicar.com.txt.2853016306'
maldet(18389): {quar} malware quarantined from '/tmp/eicarcom2.zip' to '/usr/local/maldetect/quarantine/eicarcom2.zip.2220119630'
If the file or directory size is large, run the maldet scan process in the background. For example, if you want to run the maldet scan on the /tmp directory in the background, use the following command.
root@noufserver:~# maldet -b -a /tmp
Here is the output.
root@noufserver:~# maldet -b -a /tmp
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress
To check the status of the background maldet scan, view the log file /usr/local/maldetect/logs/event_log by using the following command.
root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log
Here is the output.
root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} building file list for /tmp, this might take awhile...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} executed eval /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find "/tmp" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f -size +24c -size -6947618c -not -perm 000
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} file list completed in 0s, found 84 files...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} no $mail or $sendmail binaries found, e-mail alerts disabled.
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} scan of /tmp (84 files) in progress...
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan completed on /tmp: files 84, malware hits 0, cleaned hits 0, time 16s
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan report saved, to view run: maldet --report 220127-0732.18831
Use the following command to clear logs, quarantine queue, and session and temporary data from the previous maldet scan.
root@noufserver:~# maldet -p
Here is the output.
root@noufserver:~# maldet -p
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(19989): {glob} logs and quarantine data cleared by user request (-p)
To confirm if the log data is removed or not, use the following command.
root@noufserver:~# maldet -l
Here is the output.
root@noufserver:~# maldet -l
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
Viewing last 50 lines from /usr/local/maldetect/logs/event_log:
Jan 27 07:35:51 noufserver maldet(19989): {glob} logs and quarantine data cleared by user request (-p)
Using the following command, update the malware detection signature.
root@noufserver:~# maldet -u
Here is the output.
root@noufserver:~# maldet -u
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(20133): {sigup} performing signature update check...
maldet(20133): {sigup} local signature set is version 20220122476998
maldet(20133): {sigup} latest signature set already installed
The following command helps you check the maldet version.
root@noufserver:~# maldet -d
Here is the output.
root@noufserver:~# maldet -d
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(20239): {update} checking for available updates...
maldet(20239): {update} hashing install files and checking against server...
maldet(20239): {update} latest version already installed.
Linux Malware Detect is an effective way to clean malware infections. However, securing the compromised user or website is still necessary to avoid suspicious activities and should be an important task before using Linux Malware Detect. Prevent suspicious activities from occurring in the first place with proper security mitigation strategies.
If you are looking for assistance to secure your site or server or purchase a server for your site, Liquid Web is the right choice for you. At Liquid Web, we offer Dedicated Server and Managed VPS Hosting options. In addition, our skilled team provides 24/7/365 support and monitoring services so that you can focus on your websites. Contact our team today to learn more.
CARA MEMBERSIHKAN CASING HP YANG KOTOR10/Feb/2024
cara membersihkan leptop yang kotor10/Feb/2024
10 Film Motivasi Tentang Pengusaha Sukses10/Feb/2024
cara mendapatkan uang dari youtube10/Feb/2024
Sejarah Visual Basic 6.010/Feb/2024
Cara Menjadi Orang Sukses Di Usia Muda10/Feb/2024
cara daftar di onfanel.com10/Feb/2024
Comment On This Post