It is so common nowadays that Shared hosting clients upload PHP / Javascript / Ajax scripts carelessly downloaded from somewhere containing malicious features or infected by third party script kiddie tools which replicate themselves after succesfully exploit some common PHP or Perl vulnerability. I'm sure even as time of writing this post probably millions of old un-updated Hosting Linux servers are silent Malware hives.
Therefore For Shared Hosting server servers it is useful to know about the existence of Maldetect – Linux Malware scanner also known under the name LMD.
Linux Maldetect – in what it does is very similar to Windows good Spyware Detect and Clean tool Malware Bytes. LMD uses Spyware definition database collected from network edge Intrusion detection systems who caught Web bugs commonly exploited as well as from custom user submissions of Malicious stuff. Maldetect's database can easily be exported and plays well together with ClamAV antivirus. LMD is very precious and is one of the must have outfits for hosting admins, as its use allows you to determine succesful cracking before system is rootkited and you have to audit for Backdoors or Rookit with rkhunter and chkroot
1. Install Linux MalDetect
LMD is young project so it does not still have a package deb and rpm package builds. Installation is done from source;
debian:~# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
debian:~# tar -xzf maldetect-current.tar.gz
debian:~# cd maldetect-*
debian:~# ./install.sh
Linux Malware Detect v1.4.1
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPLinstallation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldetmaldet(3143): {sigup} performing signature update check…
maldet(3143): {sigup} local signature set is version 201205035915
maldet(3143): {sigup} new signature set (2013060217799) available
maldet(3143): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3143): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3143): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3143): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3143): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3143): {sigup} signature set update completed
maldet(3143): {sigup} 11509 signatures (9641 MD5 / 1868 HEX)
2. Maldetect configs and binaries
Config is default installed in – /usr/local/maldetect/conf.maldet
Main executed binary is placed in – /usr/local/maldetect/maldet
There is a cron skele file placed in /etc/cron.daily/maldet. Its useful to run maldet via cron to check all sites on server and get e-mail reports.
3. Keep maldet up2date
debian:~# maldet --update-ver
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(3511): {update} checking for available updates...
maldet(3511): {update} hashing install files and checking against server...
maldet(3511): {update} latest version already installed.
4. Update Maldetect definitions manually
Maldetect Malware definitions are designed to auto-update via cron. For people who don't like to waste CPU time and scrape on HDD with cronjob;
debian:~# maldet --update
5. Configure LMD
Tune according to your needs in config (/usr/local/maldetect/conf.maldet)
maxfilesize="768k"
email_alert=1
email_subj="Attention Malware found! Check your server!"
email_addr="hipo@www.pc-freak.net"
6. Scanning for Malware manually
debian:~# maldet -a /home,/var/www/blog,/sbin,/opt
....
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(21709): {scan} signatures loaded: 11509 (9641 MD5 / 1868 HEX)
maldet(21709): {scan} building file list for /var/www/blog, this might take awhile...
maldet(21709): {scan} file list completed, found 6814 files...
maldet(21709): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(21709): {scan} scan of /var/www/blog (6814 files) in progress...
maldet(21709): {scan} scan completed on /var/www/blog: files 6814, malware hits 0, cleaned hits 0
maldet(21709): {scan} scan report saved, to view run: maldet --report 062813-1012.21709
...
As you see from above output you can view Maldet report by issuing:
debian:~# maldet --report 062813-1012.21709
malware detect scan report for pcfreak:
SCAN ID: 070113-1223.7481
TIME: Jul 1 12:24:20 +0300
PATH: .
TOTAL FILES: 9164
TOTAL HITS: 326
TOTAL CLEANED: 0
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run:
debian:~# maldet -q 070113-1223.7481
FILE HIT LIST:
{CAV}Exploit.SafariCrash-1 : ./osX/dos/1715.html
{CAV}Exploit.PPC : ./osX/local/1973.pl
{CAV}Exploit.Perl.Sadmin : ./solaris/remote/101.pl
{CAV}Exploit.FirefoxCrash : ./multiple/dos/1716.html
{HEX}exp.linux.setuid.13 : ./multiple/local/7129.sh
{CAV}HTML.Shellcode : ./multiple/remote/2082.html
In case some badware is captured by Maldet to quarantine files run suggested command:
debian:~# maldet -q 070113-1223.7481
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(21341): {quar} malware quarantined from './php/remote/2008.php' to '/usr/local/maldetect/quarantine/2008.php.19608'
maldet(21341): {clean} restoring /usr/local/maldetect/quarantine/2008.php.19608 for cleaning attempt
maldet(21341): {clean} trying to clean ./php/remote/2008.php with base64.inject.unclassed rule
maldet(21341): {clean} rescanning ./php/remote/2008.php for malware hits
maldet(21341): {clean} clean successful on ./php/remote/2008.php
Just for a close up below is a list of common 60 Malwares found on Hosting servers (taken from Maldetect Website);
base64.inject.unclassed perl.ircbot.xscan bin.dccserv.irsexxy perl.mailer.yellsoft bin.fakeproc.Xnuxer perl.shell.cbLorD bin.ircbot.nbot perl.shell.cgitelnet bin.ircbot.php3 php.cmdshell.c100 bin.ircbot.unclassed php.cmdshell.c99 bin.pktflood.ABC123 php.cmdshell.cih bin.pktflood.osf php.cmdshell.egyspider bin.trojan.linuxsmalli php.cmdshell.fx29 c.ircbot.tsunami php.cmdshell.ItsmYarD exp.linux.rstb php.cmdshell.Ketemu exp.linux.unclassed php.cmdshell.N3tshell exp.setuid0.unclassed php.cmdshell.r57 gzbase64.inject php.cmdshell.unclassed html.phishing.auc61 php.defash.buno html.phishing.hsbc php.exe.globals perl.connback.DataCha0s php.include.remote perl.connback.N2 php.ircbot.InsideTeam perl.cpanel.cpwrap php.ircbot.lolwut perl.ircbot.atrixteam php.ircbot.sniper perl.ircbot.bRuNo php.ircbot.vj_denie perl.ircbot.Clx php.mailer.10hack perl.ircbot.devil php.mailer.bombam perl.ircbot.fx29 php.mailer.PostMan perl.ircbot.magnum php.phishing.AliKay perl.ircbot.oldwolf php.phishing.mrbrain perl.ircbot.putr4XtReme php.phishing.ReZulT perl.ircbot.rafflesia php.pktflood.oey perl.ircbot.UberCracker php.shell.rc99 perl.ircbot.xdh php.shell.shellcomm