Installing Linux Malware Detect (LMD) on CentOS, RHEL

Malware is known as malicious software. It can be any script, app or anything which is harmful for our system and data in any kinds.

Linux Malware detect (LMD) is a malware scanner for linux released under the gnu GPLv2 license, that is intended around the threats faced in hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that’s actively getting used in attacks and generates signatures for detection.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

Step 1: Download and Install LMD

First login to your server using SSH clients (Eg: Putty) and download the latest LMD source code using following commands.

# cd /opt
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Now extract the downloaded archive in current directory

# tar xfz maldetect-current.tar.gz

After extracting the archive, execute install.sh script provided in source, which will install LMD in your system.

# cd maldetect-1.4.2
# sh install.sh

Step 2: Configure LMD

LMD creates an configuration file /usr/local/maldetect/conf.maldet, where we can define the working of LMD and what action to take.

# vim /usr/local/maldetect/conf.maldet

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="MLD Scan Report from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="[email protected]"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0

# minimum userid that can be suspended
quar_susp_minuid=500

Step 3: Start Scanning Manually

At this stage you have successfully installed and configured LMD on your system. Lets run your first scan manually by executing following command.

# maldet --scan-all /var/www/html

The above command will scan all the files and directories under /var/www/html. It may take a long time to complete depending on your number of files. After completion of above command it will show you a command to see report like below

# maldet --report 060214-1946.24560

malware detect scan report for svr1.tecadmin.net:
SCAN ID: 060214-1946.24560
TIME: May  28 19:46:12 +0530
PATH: /var/www/html/
TOTAL FILES: 4441
TOTAL HITS: 0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.4.2 < [email protected] >

In my case the TOTAL HITS is 0, So LMD doesn’t detect any malware on system. But If it detects any malware on your system, Use one of following command to quarantine malwares

# maldet --quarantine SCANID
OR
# maldet --clean SCANID

SCANID can be found in report generated above.

Step 4: Setup Regular Scanning

During installation of LMD it already creates and crontab file to be execute on daily basis

# vi /etc/cron.daily/maldet

But if your system has large number of files and directories change scanning to weekly basis rather than daily.

References:
https://www.rfxn.com/projects/linux-malware-detect/