Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. Maldet is quite popular amongst sysadmins and website devs due to its focus on the detection of PHP backdoors, dark mailers, and many other malicious files that can be uploaded on a compromised website using threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
In the following tutorial, you will learn how to install and use Maldet on Ubuntu 20.04 LTS. The same principle will work for the newer version Ubuntu 21.04 (Hirsute Hippo).
Table of Contents
- Recommended OS: Ubuntu 20.04 – optional (Ubuntu 21.04 and Linux Mint 20)
- User account: A user account with sudo or root access.
- Required Packages: wget
Check and update your Ubuntu 20.04 operating system firstly with the following command:
sudo apt update && sudo apt upgrade -y
Install (wget) package if you do not have it on your Ubuntu system:
sudo apt install wget -y
Note for novice users, if unsure, execute the command anyway.
To install Maldet, you will need their package archive, which can be found on the official download page. However, when upgrades occur, they do not change the file URL, so luckily, the download link will not change often.
At the time of this tutorial, version (1.6.4) is the latest; however, in time, this will change. To download the latest version now and in the future, type the following command:
cd /tmp/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
In the next part, you will need to extract the archive, which you can do with the following command:
tar xfz maldetect-current.tar.gz
It is a good idea to check that everything has been extracted at this point. This can be done with the (ls) command as follows:
Now you have confirmed the archive is extracted correctly, you will (CD) into the directory and execute the installation script to install Maldet with the following command:
cd maldetect-1.6.4 && ./install.sh
The installation should be complete in a matter of seconds, and you will get a similar output as below:
Now that you have successfully finished the installation script, you can modify the configuration file using your preferred text editor. Below are some examples of some popular settings and practices using (nano) text editor:
First, open the (conf.maldet) file:
sudo nano /usr/local/maldetect/conf.maldet
Next, find the following lines and edit them to as below:
# To enable the email notification. email_alert="1" # Specify the email address on which you want to receive an email notification. email_addr="email@example.com" # Enable the LMD signature autoupdate. autoupdate_signatures="1" # Enable the automatic updates of the LMD installation. autoupdate_version="1" # Enable the daily automatic scanning. cron_daily_scan="1" # Allows non-root users to perform scans. scan_user_access="1" # Move hits to quarantine & alert quarantine_hits="1" # Clean string based malware injections. quarantine_clean="0" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500" # Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="firstname.lastname@example.org" # Use with ClamAV scan_clamscan="1" # Enable scanning for root-owned files. Set 1 to disable. scan_ignore_root="0"
Note, all settings here are optional, and you can set your own as there are no right or wrong answers here.
Firstly, run the following command to create the correct paths for the logged-in user; you may have issues updating without doing this.
sudo /usr/local/sbin/maldet --mkpubpaths
To update the Maldet virus definitions database, execute the following command:
Secondly, to check for newer versions of the actual software, type the following command:
Optional – Install ClamAV
One of the best parts about using Maldet is its compatibility with ClamAV, which can increase the scanning capability of Maldet by a lot.
To install ClamAV, you can do so by executing the following command:
sudo apt install clamav clamav-daemon clamdscan -y
Please see our guide on installing and using ClamAV On Ubuntu 20.04 for a complete guide on setting up ClamAV.
Scanning with Maldet – Examples
Firstly, you should get familiar with the Maldet syntax. All commands start with maldet then are followed by option and directory path, for example, maldet [OPTION] [DIRECTORY PATH].
Below covers most of the syntax examples with Maldet:
- -b : Execute operations in the background.
- -u : Update malware detection signatures.
- -l : View maldet log file events.
- -d : Update the installed version.
- -a : Scan all files in the path.
- -p : Clear logs, session and temporary data.
- -q : Quarantine all malware from the report.
- -n : Clean & restore malware hits from the report.
To test out Maldet and make sure it is working correctly, you can test the functionality of LMD by downloading a (sample virus signature) from the EICAR website.
cd /tmp wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Next, you will execute the (maldet) command to scan the (tmp) directory as follows:
maldet -a /tmp
Now, with our infected files, you will get a similar output as below:
We have set to not automatically quarantine for our configuration as sometimes false positives and removing files on live servers can cause more issues. A good sysadmin will always be checking constantly to check the results.
Also, from the output, you can clearly see that in our test server, we have installed ClamAV and that Maldet is using the ClamAV scanner engine to perform the scan and succeeded in finding malware hits.
Some other commands you can do is target your server file extensions; PHP files are often the target of many attacks. To scan .php files, use the following:
maldet -a /var/www/html/*.php
This is ideal for larger websites or servers with lots of files to scan, and smaller servers would benefit from scanning the entire directory.
Maldet Scan Reports
Maldet stores the scan reports under the directory location (/usr/local/maldetect/sess/). You can use the following command along with the (Scan ID) to see a detailed report as follows:
sudo maldet --report 210724-0528.4723
Next, you will be taken to a pop-up report in a text editor (nano) as the example below:
As you can see, the full report of the hit list and details surrounding the files are for further review and investigation. The file is already saved (CTRL+X) to exit once done.
Comments and Conclusion
In the following tutorial, you have learned how to install Maldet on Ubuntu 20.04 and use the basics on a webserver to scan infected files. Overall, the software is an effective means to clean the infections and is quite good at it, however securing the compromised user or website is still necessary to avoid re-infection and should be the first point before using Maldet, as good security protocols and configuration will nearly always prevent infections occurring in the first place.
If you would like to know more about Maldet commands, visit the official documentation page.