Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. Maldet is quite popular amongst sysadmins and website devs due to its focus on the detection of PHP backdoors, dark mailers, and many other malicious files that can be uploaded on a compromised website using threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
In the following tutorial, you will learn how to install and use Maldet on Fedora 34.
Table of Contents
- Recommended OS: Fedora Linux 34 (Newer versions will work also)
- User account: A user account with sudo or root access.
Updating Operating System
Update your Fedora operating system to make sure all existing packages are up to date:
sudo dnf update && sudo dnf upgrade -y
To install Maldet, you will need their package archive, which can be found on the official download page. However, when upgrades occur, they do not change the file URL, so luckily, the download link will not change often.
At the time of this tutorial, version (1.6.4) is the latest; however, in time, this will change. To download the latest version now and in the future, type the following command:
cd /tmp/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
In the next part, you will need to extract the archive, which you can do with the following command:
tar xfz maldetect-current.tar.gz
Now you have confirmed the archive is extracted correctly, you will (CD) into the directory and execute the installation script to install Maldet with the following command:
cd maldetect-1.6.4 && sudo ./install.sh
The installation should be complete in a matter of seconds, and you will get a similar output as below:
Now that you have successfully finished the installation script, you can modify the configuration file using your preferred text editor. Below are some examples of some popular settings and practices using (nano) text editor:
First, open the (conf.maldet) file:
sudo nano /usr/local/maldetect/conf.maldet
Next, find the following lines and edit them to as below:
# To enable the email notification. email_alert="1" # Specify the email address on which you want to receive an email notification. email_addr="[email protected]" # Enable the LMD signature autoupdate. autoupdate_signatures="1" # Enable the automatic updates of the LMD installation. autoupdate_version="1" # Enable the daily automatic scanning. cron_daily_scan="1" # Allows non-root users to perform scans. scan_user_access="1" # Move hits to quarantine & alert quarantine_hits="1" # Clean string based malware injections. quarantine_clean="0" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500" # Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="[email protected]" # Use with ClamAV scan_clamscan="1" # Enable scanning for root-owned files. Set 1 to disable. scan_ignore_root="0"
Note, all settings here are optional, and you can set your own as there are no right or wrong answers here.
Update Maldet Virus Definitions & Software
To update the Maldet virus definitions database, execute the following command:
sudo maldet -u
Secondly, to check for newer versions of the existing software, type the following command:
sudo maldet -d
Optional – Install ClamAV
One of the best parts about using Maldet is its compatibility with ClamAV, which can increase the scanning capability of Maldet by a lot.
To install ClamAV, you can do so by executing the following command:
sudo dnf install clamav clamav-devel -y
Next, enable ClamAV:
sudo systemctl enable clamav-freshclam && sudo systemctl start clamav-freshclam
Lastly, update your ClamAV signatures using the freshclam command:
Database test passed. main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) bytecode database available for download (remote version: 333) Time: 0.4s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB Testing database: '/var/lib/clamav/tmp.c736fe0d50/clamav-c52c6549b6ff30a71e65db0c5647f2de.tmp-bytecode.cvd' ... Database test passed. bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Scanning with Maldet – Examples
Firstly, you should get familiar with the Maldet syntax. All commands start with maldet then are followed by option and directory path, for example, maldet [OPTION] [DIRECTORY PATH].
Below covers most of the syntax examples with Maldet:
- -b : Execute operations in the background.
- -u : Update malware detection signatures.
- -l : View maldet log file events.
- -d : Update the installed version.
- -a : Scan all files in the path.
- -p : Clear logs, session and temporary data.
- -q : Quarantine all malware from the report.
- -n : Clean & restore malware hits from the report.
To test out Maldet and make sure it is working correctly, you can test the functionality of LMD by downloading a (sample virus signature) from the EICAR website.
cd /tmp wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Next, while you are in the /tmp directory, you will execute the (maldet) command to scan the (tmp) directory as follows:
sudo maldet -a /tmp
Now, with you should infected files, you will get a similar output as below:
As you may have noticed, the tutorial is not set automatically to quarantine for our configuration. Sometimes, false positives and removing files on live servers can cause more issues than it solves. A good sysadmin or server owner will continuously be checking constantly to check the results and verify.
Also, from the output, you can see that in our test server, we have installed ClamAV and that Maldet is using the ClamAV scanner engine to perform the scan and succeeded in finding 16 malware hits.
Some other commands you can do is target your server file extensions; PHP files are often the target of many attacks. To scan .php files, use the following:
maldet -a /var/www/html/*.php
This is ideal for larger websites or servers with lots of files to scan, and smaller servers would benefit from scanning the entire directory.
Maldet Scan Reports
Maldet stores the scan reports under the directory location (/usr/local/maldetect/sess/). You can use the following command along with the (Scan ID) to see a detailed report as follows:
sudo maldet -q 210920-0904.6208
Next, you will see the report listed in your terminal, noting the details of the scan.
From here, you can review and take action in removing, whitelisting, or seeking to do more investigation.
Comments and Conclusion
In the following tutorial, you have learned how to install Maldet on Fedora and use the basics on a webserver to scan infected files. Overall, the software is an effective means to clean the infections and is quite good at it, however securing the compromised user or website is still necessary to avoid re-infection and should be the first point before using Maldet, as good security protocols and configuration will nearly always prevent infections occurring in the first place.
If you would like to know more about Maldet commands, visit the official documentation page.