Detect malware on linux.
Posted: Thu Apr 18, 2013 11:18 amIf you are running a mission-critical web server, or managing shared hosting environments on Linux, chances are that you constantly watch out for potential threats from Linux malware such as viruses, trojans, rootkits and worms. While staying up-to-date with the latest server hardening guides is a must to prevent any future attack, you may wish to add malware detection tools to your arsenal for extra security.
Linux Malware Detect (LMD) is a freeware malware scanning tool for Linux. In this guide, I will show you how to install and configure LMD to scan for malware on your Linux system.
In order to install LMD on Linux, run the following,
After installation, daily cron job is added in /etc/cron.daily/maldet, which checks for the latest version of LMD and malware definition/signature files, and update them automatically. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware.
To initiate malware scanning manually, run maldet with a target folder to scan.
After scanning, you can examine malware scan report by running the following command with the scan report ID (which your terminal displays).
To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.
If you want to actively monitor specific directories for malware infection, you can run maldet as a daemon as follows.
If you want to have maldet alert you on detected malware by email, you can modify maldet configuration as follows.
Linux Malware Detect (LMD) is a freeware malware scanning tool for Linux. In this guide, I will show you how to install and configure LMD to scan for malware on your Linux system.
In order to install LMD on Linux, run the following,
- Code: Select all
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xvfvz maldetect-current.tar.gz
cd maldetect-1.4.2
sudo ./install.sh
Linux Malware Detect v1.4.1
(C) 2002-2013, R-fx Networks <[email protected]>
(C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(6001): {sigup} performing signature update check...
maldet(6001): {sigup} local signature set is version 201205035915
maldet(6001): {sigup} new signature set (2013041816820) available
maldet(6001): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(6001): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(6001): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(6001): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(6001): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(6001): {sigup} signature set update completed
maldet(6001): {sigup} 11203 signatures (9335 MD5 / 1868 HEX)
After installation, daily cron job is added in /etc/cron.daily/maldet, which checks for the latest version of LMD and malware definition/signature files, and update them automatically. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware.
To initiate malware scanning manually, run maldet with a target folder to scan.
- Code: Select all
sudo maldet --scan-all /home
After scanning, you can examine malware scan report by running the following command with the scan report ID (which your terminal displays).
- Code: Select all
sudo maldet --report 041813-2044.6125
To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.
- Code: Select all
sudo maldet -q 041813-2044.6125
If you want to actively monitor specific directories for malware infection, you can run maldet as a daemon as follows.
- Code: Select all
sudo maldet -m /var,/home
If you want to have maldet alert you on detected malware by email, you can modify maldet configuration as follows.
- Code: Select all
sudo vi /usr/local/maldetect/conf.maldet