Administration tools

How to use Linux Malware Detect (LMD) on Linux

Linux Malware Detection comes in the form of maldet from R-fx Networks. The author Ryan MacDonald, a security engineer, created maldet to overcome limitations in malware detection especially in shared hosting environments. With his experience he is able to use data from border routers to detect perimeter intrusion attacks.
A malware scanner released under the GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what kind of environment you’re working on.

In this article we will show you how to use Linux Malware Detect (LMD) on Linux.

Using Linux Malware Detect (LMD)

1. Scan directory with Linux Malware Detect

To scan a directory for malware with Linux Malware Detect, use the command syntax:

# maldet [options] /path/to/scan

For a basic scan, run maldet with the -a or --scan-all option with a path as an argument. It first builds a list of files in all the directories and sub-directories in that path. Then it scans through all the files and gives the number of hits. It also gives a report which you can view to inspect the files that are suspicious. Make sure that you give the full path and not the relative path.

# maldet -a /home/admin/

Output:

# sudo maldet -a /home/rasho/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11328): {scan} signatures loaded: 17027 (14207 MD5 | 2035 HEX | 785 YARA | 0 USER)
maldet(11328): {scan} building file list for /home/rasho/, this might take awhile...
maldet(11328): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(11328): {scan} file list completed in 0s, found 5 files...
maldet(11328): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(11328): {scan} scan of /home/rasho/ (5 files) in progress...

maldet(11328): {scan} scan completed on /home/rasho/: files 5, malware hits 0, cleaned hits 0, time 16s
maldet(11328): {scan} scan report saved, to view run: maldet --report 200204-2035.11328
.........................
The setting scan_ignore_root in the configuration file is set to 1 by default. This causes files that are owned by root to be ignored in the file list that maldet builds. The default value is more efficient, but the assumption is that your root password has not been compromised and malware are not injected into root-owned files. Change this setting to 0 if you want root-owned files also to be scanned. This might slow down the scan. So, use it judiciously.
View scan results by running command shown near the end.

# sudo maldet --report 200204-2035.11328
2. Scan files or paths defined in line spaced file

You can also specify a file with list of paths to scan.

# cat files_to_scan.list
/srv
/var
/root
/home/rasho

Then run scan.

# sudo maldet -f /home/files_to_scan.list
3. Only Scan files modified in last x days

If you need to only scan files created/modified in the last X days, use the -r option. If no parameter is passed, default is last 7 days.
Example below will scan /srv directory for files modified in the last 5 days.

# sudo maldet -r /srv 5
4. Update Linux Malware Detect

To update malware detection signatures from rfxn.com, run:

# sudo maldet -u

To pull the latest release of LMD from rfxn.com, use:

# sudo maldet -d
5. Execute under specified user

If running scans as cron jobs or in scripts, you may need to specify a user to execute as. This is ideal for restoring from user quarantine or to view user reports. See examples below.

# maldet --user nobody --report
# maldet --user nobody --restore 00204-2035.11328
6. Monitor paths

You can monitor paths. Give a comma separated list of paths with the --monitor option.

# sudo maldet --monitor PATH1,PATH2,...PATHN

For example,

# sudo maldet --monitor /tmp,/home,/var
7. Monitor files

If you have concerns about specific files, you can monitor specific files by giving a comma-separated list of files.

# sudo maldet --monitor FILE1,FILE2,...FILEN
8. Monitor users

he users option will take the home directories of all users in the system who have uid greater than inotify_minuid and monitor them. If inotify_docroot is set, the users’ web directory, if it exists, will only be monitored.

# sudo maldet --monitor users
9. Clear logs, quarantine queue, session and temporary data
To clear all files from aforementioned list, use -p option.
# sudo maldetect -p

Important Maldet Options

General syntax is:

# maldet [options] /path/to/scan

1) -b, –background – Execute operations in the background, ideal for large scans.
2) -u, –update – Update malware detection signatures from rfxn.com.
3) -l, –log – View maldet log file events.
4) -d, –update-ver – Update the installed version from rfxn.com.
5) -k, –kill – Terminate inotify monitoring service.
6) -a, –scan-all PATH – Scan all files in path.
7) -r, –scan-recent PATH DAYS – Scan files created/modified in the last X days.
8) -p, –purge – Clear logs, quarantine queue, session and temporary data.
9) -q, –quarantine SCAN ID – Quarantine all malware from report SCAN ID.
10) -n, –clean SCAN ID – Clean & restore malware hits from report SCAN ID.
11) -c, –checkout FILE – Upload suspected malware to rfxn.com for review & hashing into signatures.
12) -m, –monitor USERS|PATHS|FILE – Run maldet with kernel level file create/modify monitoring.
13) -s, –restore FILE|SCAN ID – Restore file from quarantine queue to original path.
14) -U, –user USER – Set execution under specified user, ideal for restoring from user quarantine.

If you run a self-hosted website, at some point or the other, it is possible for malicious hackers to inject malware into your system. Before that happens, get your system secure and install maldet to keep ahead of such attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button
Close