Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. Maldet is quite popular amongst sysadmins and website devs due to its focus on the detection of PHP backdoors, dark mailers, and many other malicious files that can be uploaded on a compromised website using threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
In the following tutorial, you will learn how to install and use Maldet on Rocky Linux 8.
Table of Contents
- Recommended OS: Rocky Linux 8.+.
- User account: A user account with sudo or root access.
Update Operating System
Update your Rocky Linux operating system to make sure all existing packages are up to date:
sudo dnf upgrade --refresh -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
Example output showing sudo status:
[joshua@rockylinux ~]$ sudo whoami root
To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on Rocky Linux.
To use the root account, use the following command with the root password to log in.
To install Maldet, you will need their package archive, which can be found on the official download page. However, when upgrades occur, they do not change the file URL, so luckily, the download link will not change often.
At the time of this tutorial, version (1.6.4) is the latest; however, in time, this will change. To download the latest version now and in the future, type the following command:
cd /tmp/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
In the next part, you will need to extract the archive, which you can do with the following command:
tar xfz maldetect-current.tar.gz
Now you have confirmed the archive is extracted correctly, you will (CD) into the directory and execute the installation script to install Maldet with the following command:
cd maldetect-1.6.4 && ./install.sh
The installation should be complete in a matter of seconds, and you will get a similar output as below:
Now that you have successfully finished the installation script, you can modify the configuration file using your preferred text editor. Below are some examples of some popular settings and practices using (nano) text editor:
First, open the (conf.maldet) file:
sudo nano /usr/local/maldetect/conf.maldet
Next, find the following lines and edit them to as below:
# To enable the email notification. email_alert="1" # Specify the email address on which you want to receive an email notification. email_addr="email@example.com" # Enable the LMD signature autoupdate. autoupdate_signatures="1" # Enable the automatic updates of the LMD installation. autoupdate_version="1" # Enable the daily automatic scanning. cron_daily_scan="1" # Allows non-root users to perform scans. scan_user_access="1" # Move hits to quarantine & alert quarantine_hits="1" # Clean string based malware injections. quarantine_clean="0" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500" # Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="firstname.lastname@example.org" # Use with ClamAV scan_clamscan="1" # Enable scanning for root-owned files. Set 1 to disable. scan_ignore_root="0"
Note, all settings here are optional, and you can set your own as there are no right or wrong answers here.
Update Maldet Virus Definitions & Software
Firstly, you will need to make sure scan_user_access=”1″ is on in the configuration file mentioned previously to continue.
Next, run the following command to create the correct paths for the logged-in user; you may have issues updating without doing this.
sudo /usr/local/sbin/maldet --mkpubpaths
If you fail to do this, you will get the following error.
public scanning is enabled (scan_user_access=1) but paths do not exist, please contact your system administrator to run '/usr/local/sbin/maldet --mkpubpaths' or wait for cron.pub to execute in ~10 minutes.
To update the Maldet virus definitions database, execute the following command:
Secondly, to check for newer versions of the existing software, type the following command:
Optional – Install ClamAV
One of the best parts about using Maldet is its compatibility with ClamAV, which can increase the scanning capability of Maldet by a lot.
First, install the EPEL repository to install the latest ClamAV version available along with its dependencies:
sudo dnf install epel-release
To install ClamAV, you can do so by executing the following command:
sudo dnf install clamav clamav-devel -y
Please see our guide on installing and using ClamAV For Rocky Linux 8 or a complete guide on setting up ClamAV.
Scanning with Maldet – Examples
Firstly, you should get familiar with the Maldet syntax. All commands start with maldet then are followed by option and directory path, for example, maldet [OPTION] [DIRECTORY PATH].
Below covers most of the syntax examples with Maldet:
- -b : Execute operations in the background.
- -u : Update malware detection signatures.
- -l : View maldet log file events.
- -d : Update the installed version.
- -a : Scan all files in the path.
- -p : Clear logs, session and temporary data.
- -q : Quarantine all malware from the report.
- -n : Clean & restore malware hits from the report.
To test out Maldet and make sure it is working correctly, you can test the functionality of LMD by downloading a (sample virus signature) from the EICAR website.
cd /tmp wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Next, you will execute the (maldet) command to scan the (tmp) directory as follows:
maldet -a /tmp
Now, with our infected files, you will get a similar output as below:
As you may have noticed, the tutorial is not set automatically to quarantine for our configuration. Sometimes, false positives and removing files on live servers can cause more issues than it solves. A good sysadmin or server owner will continuously be checking constantly to check the results and verify.
Also, from the output, you can see that in our test server, we have installed ClamAV and that Maldet is using the ClamAV scanner engine to perform the scan and succeeded in finding malware hits.
Some other commands you can do is target your server file extensions; PHP files are often the target of many attacks. To scan .php files, use the following:
maldet -a /var/www/html/*.php
This is ideal for larger websites or servers with lots of files to scan, and smaller servers would benefit from scanning the entire directory.
Maldet Scan Reports
Maldet stores the scan reports under the directory location (/usr/local/maldetect/sess/). You can use the following command along with the (Scan ID) to see a detailed report as follows:
maldet --report 210911-0929.26646
Next, you will be taken to a pop-up report in a text editor (nano) as the example below:
As you can see, the full report of the hit list and details surrounding the files are for further review and investigation.
The file is already saved (CTRL+X) to exit once done reviewing.
Optionally, if you want to quarantine the infected files afterward from the report quickly, run the following command:
maldet -q "report number"
maldet -q 210911-0929.26646
Comments and Conclusion
In the following tutorial, you have learned how to install Maldet on Rocky Linux 8 and use the basics on a webserver to scan infected files. Overall, the software is an effective means to clean the infections and is quite good at it, however securing the compromised user or website is still necessary to avoid re-infection and should be the first point before using Maldet, as good security protocols and configuration will nearly always prevent infections occurring in the first place.
If you would like to know more about Maldet commands, visit the official documentation page.