How to Install Malware Detect on a Linux Server

Linux Malware Detect (LMD) is a powerful malware scanner designed to scan, detect, and remove malware from your Linux server. It's particularly effective for web server used in shared hosting environments, where outdated scripts can often become targets for infections.

LMD utilizes MD5 file hashes and HEX pattern matches as signatures. These signatures are created from various sources, including malware data provided by Intrusion Prevention Systems (IPS), community submissions, ClamAV data, and user contributions.

In this tutorial, I'll guide you through the process of installing LMD.

Step 1: Download the Latest Version

To begin, we'll download the latest version of LMD. You can easily do this by executing the following command in any one of your preferred terminals:

[root@VPS1 ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--2013-04-18 20:49:53--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com... 129.121.132.46
Connecting to www.rfxn.com|129.121.132.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 811434 (792K) [application/x-gzip]
Saving to: “maldetect-current.tar.gz”

100%[======================================>] 811,434     1.08M/s   in 0.7s    

2013-04-18 20:49:54 (1.08 MB/s) - “maldetect-current.tar.gz” saved [811434/811434] 

Step 2: Extract Program

Now, we will extract it:

[root@VPS1 ~]# tar -xzvf maldetect-current.tar.gz

Once it's done:

[root@VPS1 ~]# cd maldetect-1.4.2
[root@VPS1 maldetect-1.4.2]# ./install.sh 
Linux Malware Detect v1.4.1
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(10805): {sigup} performing signature update check...
maldet(10805): {sigup} local signature set is version 201205035915
maldet(10805): {sigup} new signature set (2013041816820) available
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(10805): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(10805): {sigup} signature set update completed
maldet(10805): {sigup} 11203 signatures (9335 MD5 / 1868 HEX)

LMD will install itself in the directory you see above and automatically update to ensure it has the latest signatures applied. During the installation, it also sets up a cron job that enables LMD to update itself in the future and scan specified folders for malware at regular intervals. If you prefer to update LMD manually, you can do so by executing the following command:

[root@VPS1 ~]# maldet --update-ver
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11341): {update} checking for available updates...
maldet(11341): {update} hashing install files and checking against server...
maldet(11341): {update} latest version already installed.

Above, you can see how you can update to the latest version of malware detect using the -update-ver parameter. We can also update the signature ourselves as such:

[root@VPS1 ~]# maldet --update
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11417): {sigup} performing signature update check...
maldet(11417): {sigup} local signature set is version 2013041816820
maldet(11417): {sigup} latest signature set already installed

Using the update parameter, you can get the latest signatures. This is how you can scan a certain folder:

[root@VPS1 ~]# maldet -a /var/www/vhosts/some-website-you-dont-trust.com/httpdocs/
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(11525): {scan} signatures loaded: 11203 (9335 MD5 / 1868 HEX)
maldet(11525): {scan} building file list for /var/www/vhosts/some-website-you-dont-trust.com/httpdocs/, this might take awhile...
maldet(11525): {scan} file list completed, found 7292 files...
maldet(11525): {scan} 51/7292 files scanned: 0 hits 0 cleaned

Run maldet -a to scan a specific folder. It will report back any malware that it detects. It's also possible to receive email notifications when LMD detects malware. If you want this feature, you'll have to edit the conf.maldet file as such:

[root@VPS1 ~]# vim /usr/local/maldetect/conf.maldet

This is the precise section that you need to edit:

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=0

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="you@domain.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

Step 3: Configuring Email Alert Frequencies (Aggressiveness) and Schedule

Change email_alert to 1 and enter your email address. Last, but not least, let's take a look at the script that LMD copied to the cron.daily folder:

[root@VPS1 ~]# vim /etc/cron.daily/maldet
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi

        # scan default apache docroot paths
        if [ -d "/var/www/html" ]; then
                /usr/local/maldetect/maldet -b -r /var/www/html 2 >> /dev/null 2>&1
        fi
        if [ -d "/usr/local/apache/htdocs" ]; then
                /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 >> /dev/null 2>&1
        fi

Essentially, this script performs several tasks: it deletes temporary files, checks for new versions, updates its signature files, and scans a variety of specified directories. LMD is preconfigured with folder structures for popular systems such as Ensim, Plesk, DirectAdmin, cPanel, Interworx, and more. When LMD detects malware, you will receive an alert in your inbox that typically includes details such as:

The number of infections found

The paths of infected files

A summary of the actions taken (e.g., quarantining or deleting the infected files)

This notification helps you to promptly address any security issues on your server without delay. Here is what a typical email notification detailing a malware scan report looks like:

malware detect scan report for VPS1.MYWEBSERVER.LOCAL:
SCAN ID: 030213-0405.22001
TIME: Mar  2 04:06:08 +0100
PATH: /var/www/vhosts/*/httpdocs
RANGE: 2 days
TOTAL FILES: 2909
TOTAL HITS: 1
TOTAL CLEANED: 0

FILE HIT LIST:
{CAV}PHP.Hide : /var/www/vhosts/malwarewebsite.com/httpdocs/images/stories/imageshoot.gif => /usr/local/maldetect/quarantine/imageshoot.gif.19815
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

LMD will either move the malware-infected file to a quarantine folder or clean them up, depending on your configuration settings. After LMD has completed its scan, you should notify the webmaster so they can clean the website and ensure all installed scripts are updated to their most current versions.

I hope this lesson has been helpful! If you have any questions or suggestions for protecting your Linux server(s), please feel free to drop us a comment below.

Happy scanning!

Rate This Article

Thanks for reading: How to Install Malware Detect on a Linux Server, Sorry, my English is bad:)