The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.
Step 1: Download and Install LMD
First login to your server using SSH clients (Eg: Putty) and download the latest LMD source code using following commands.
# cd /opt # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Now extract the downloaded archive in current directory
# tar xfz maldetect-current.tar.gz
After extracting the archive, execute install.sh script provided in source, which will install LMD in your system.
# cd maldetect-1.4.2 # sh install.sh
Step 2: Configure LMD
LMD creates an configuration file /usr/local/maldetect/conf.maldet, where we can define the working of LMD and what action to take.
# vim /usr/local/maldetect/conf.maldet
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=1 # The subject line for email alerts email_subj="MLD Scan Report from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="[email protected]" # Ignore e-mail alerts for reports in which all hits have been cleaned. # This is ideal on very busy servers where cleaned hits can drown out # other more actionable reports. email_ignore_clean=0 ## # [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=1 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1 # The default suspend action for users wih hits # Cpanel suspend or set shell /bin/false on non-Cpanel # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = suspend account] quar_susp=0 # minimum userid that can be suspended quar_susp_minuid=500
Step 3: Start Scanning Manually
At this stage you have successfully installed and configured LMD on your system. Lets run your first scan manually by executing following command.
# maldet --scan-all /var/www/html
The above command will scan all the files and directories under /var/www/html. It may take a long time to complete depending on your number of files. After completion of above command it will show you a command to see report like below
# maldet --report 060214-1946.24560
malware detect scan report for svr1.tecadmin.net: SCAN ID: 060214-1946.24560 TIME: May 28 19:46:12 +0530 PATH: /var/www/html/ TOTAL FILES: 4441 TOTAL HITS: 0 TOTAL CLEANED: 0 =============================================== Linux Malware Detect v1.4.2 < [email protected] >
In my case the TOTAL HITS is 0, So LMD doesn’t detect any malware on system. But If it detects any malware on your system, Use one of following command to quarantine malwares
# maldet --quarantine SCANID OR # maldet --clean SCANID
SCANID can be found in report generated above.
Step 4: Setup Regular Scanning
During installation of LMD it already creates and crontab file to be execute on daily basis
# vi /etc/cron.daily/maldet
But if your system has large number of files and directories change scanning to weekly basis rather than daily.