Maldet
pushd /usr/local/src/ rm -vrf /usr/local/src/maldetect-* rm -vrf /usr/local/src/linux-malware-detect* wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxvf maldetect-current.tar.gz cd maldetect-* sh ./install.sh maldet --update-ver #sed patch - commands added to address current problem with maldet overriding values in the conf file sed -i 's/quarantine_hits=\"1\"/quarantine_hits=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/quarantine_clean=\"1\"/quarantine_clean=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/email_alert=\"1\"/email_alert=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/email_addr=\"you@domain.com\"/email_addr=\"\"/' /usr/local/maldetect/conf.maldet #end sed patch maldet --update if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ] then ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam if [ ! -d /var/lib/clamav ] then mkdir /var/lib/clamav fi ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld else echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n" fi popd
MALDET
Checkers
We have a new tool for malware scanning and cleanup called Checkers. It will find all the malware maldet+clamscan finds and more. It also has additional functionality to assist with investigation and cleanup. Check it out. Checkers.
Quick Review
Maldet is a great piece of software that can help you begin to determine which files, if any, are potentially compromised on a system. It will not always have all the answers, but it will likely point you in the right direction.
If a customer is reporting virus-like or "hacked" activity, one of the first things that should be checked is this:
maldet -e
This command will simply display the last maldet report that was run on the server, and does not require the inclusion of a specific report number. This makes the report very easy to find and the command is simple to remember.
Be sure to do the needful, and remember - quarantine at your own risk. Stat the files and using chmod 000 is a much better choice!
Overview
Linux Malware Detect (LMD) uses MD5 file hashes and hex pattern matches to identify malware. The goal of LMD is to provide a threat detection, alerting and quarantine tool for Linux web servers, though the MD5/hex signatures are portable to any number of detection tools. There is currently limited availability of open source, restriction free, tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared web hosting servers. The threat landscape on shared web hosting servers is unique from that of the standard AV products detection suite in that they are detecting primarily trojans / rootkit content but missing the ever increasing malware on the account level which serves as an attack platform. Using the cymru.com malware hash repository, which provides malware data for Microsoft, Google, Trend Micro, F-Secure, Symantec and more; we can demonstrate this short coming in current threat detection.
Features
- MD5 file hash detection for quick threat identification
- HEX based pattern matching for identifying threat variants
- integrated signature update feature, executes through cron.daily and –update
- integrated version update feature with –update-ver, must run manual
- scan-recent option to scan only files that have been added/changed in X days
- scan-all option for full path based scanning
- checkout option to upload suspected malware to rfxn.com for review / hashing
- report option to view past or recent scan results
- quarantine queue that stores threats in a safe fashion with no permissions
- quarantine batching option to quarantine the results of a past or recent scan
- quarantine restore option to restore files to original path, owner and perms
- quarantine suspend account option to Cpanel suspend or shell revoke users
- cleaner rules to attempt removal of malware injected strings
- cleaner batching option to attempt cleaning of previous scan reports
- cleaner rules to remove base64 and gzinflate(base64 injected malware
- daily cron based scanning of all changes in last 24h in user homedirs
- daily cron script compatible with stock RH style systems, Cpanel & Ensim
- kernel based inotify real time file scanning of created/modified/moved files
- kernel inotify monitor that can take path data from STDIN or FILE
- kernel inotify monitor convenience feature to monitor system users
- kernel inotify monitor can be restricted to a configurable user html root
- kernel inotify monitor with dynamic sysctl limits for optimal performance
- kernel inotify alerting through daily and/or optional weekly reports
- e-mail alert reporting after every scan execution (manual & daily)
- path and signature based ignore options
- verbose logging & output of all actions
Installation
Wget Method
Git Method
Template:Info Template:Warning Copypasta installation:
pushd /usr/local/src/ rm -vrf /usr/local/src/maldetect-* rm -vrf /usr/local/src/linux-malware-detect* wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxvf maldetect-current.tar.gz cd maldetect-* sh ./install.sh maldet --update-ver #sed patch - commands added to address current problem with maldet overriding values in the conf file sed -i 's/quarantine_hits=\"1\"/quarantine_hits=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/quarantine_clean=\"1\"/quarantine_clean=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/email_alert=\"1\"/email_alert=\"0\"/' /usr/local/maldetect/conf.maldet sed -i 's/email_addr=\"you@domain.com\"/email_addr=\"\"/' /usr/local/maldetect/conf.maldet #end sed patch maldet --update if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ] then ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam if [ ! -d /var/lib/clamav ] then mkdir /var/lib/clamav fi ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld else echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n" fi popd
If you get a "bash: maldet: command not found":
ln -s /usr/local/sbin/maldet /usr/local/bin/
If you've installed maldet before, but it cannot find the clamscan binary, run the following:
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
Notes for Plesk installs
If you are installing Maldet for Plesk, you will need to do the next line as well:
vim /etc/cron.daily/maldet find the # psa section and add this next line after httpdocs: /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpsdocs 2 >> /dev/null 2>&1
Configure Maldet to also use ClamAV Sigs (cPanel servers)
If you want to ensure maldet will use both its own definitions, and the clamav definitions, then run (or re-run) these steps:
if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ] then ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam if [ ! -d /var/lib/clamav ] then mkdir /var/lib/clamav fi ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cvd /var/lib/clamav/main.cvd ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cvd /var/lib/clamav/daily.cvd ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cvd /var/lib/clamav/bytecode.cvd else echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n" fi
Post-installation Notes
Upon installing maldet, it creates /etc/cron.daily/maldet, which will:
- Check for new definitions
- Send daily notify alerts to $email_addr
- Scan for file changes over the last 1 day on /home?/?/public_html (? being wildcard) if inotify isn't running
- This scan is enabled if you ran the full install commands above
- THIS COMMAND DOES NOT WORK FOR MOST SERVERS. It will scan /home?/, but not /home/. If the server only has a /home/ directory, then just change it to /hom?/. This will grab /home/ and /home{2,3,etc}/.
The command used to disable the daily scanning of maldet is:
line=$(egrep -n "^[^#]*maldet -b -r /home?\?/\?/public_html/,/var/www/html/,/usr/local/apache/htdocs/" /etc/cron.daily/maldet | cut -f1 -d:); if [[ $line != [0-9]* ]]; then echo "The search string was not found, please let escalations know of this."; else sed -i "$line s/^/#/" /etc/cron.daily/maldet && line=$((line+1)) && sed -i "$(echo $line)i\echo " /etc/cron.daily/maldet; echo "Disabled"; fi
To re-enable daily scanning if you used the above command to disable:
line=$(egrep -n "^[[:blank:]]*#*.*maldet -b -r /home?\?/\?/public_html/,/var/www/html/,/usr/local/apache/htdocs/" /etc/cron.daily/maldet | cut -f1 -d:); if [[ $line != [0-9]* ]]; then echo "The search string was not found, please let escalations know of this."; else sed -i "$line s/#*//" /etc/cron.daily/maldet; echo "Enabled"; fi
You may want to consider activating the inotify monitor by executing the following command:
maldet --monitor users
You may also want to consider activating the many features of maldet, for example:
email_alert=1 email_addr="root" maxfilesize="1024k"
To edit these options, $EDITOR /usr/local/maldetect/conf.maldet
Troubleshooting: Maldet email is not being sent to customer when inotify is enabled
If the customer has a cron set up and is not receiving their daily maldet reports via email, check if inotify is enabled. The daily report is skipped and messages are sent out for significant monitoring events only.
From https://www.rfxn.com/appdocs/README.maldetect
If you are running monitor mode, the daily scans will be skipped and instead a daily report will be issued for all monitoring events. If you need to scan additional paths, you should review the cronjob and edit it accordingly.
Syntax
maldet --help
-b, --background
Execute operations in the background, ideal for large scans
e.g: maldet -b -r /home/?/public_html 7
-u, --update
Update malware detection signatures from rfxn.com
-d, --update-ver
Update the installed version from rfxn.com
-m, --monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID's > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike,/home/ashton
-k, --kill
Terminate inotify monitoring service
-r, --scan-recent PATH DAYS
Scan files created/modified in the last X days (default: 7d, wildcard: ?)
e.g: maldet -r /home/?/public_html 2
-a, --scan-all PATH
Scan all files in path (default: /home, wildcard: ?)
e.g: maldet -a /home/?/public_html
-c, --checkout FILE
Upload suspected malware to rfxn.com for review & hashing into signatures
-l, --log
View maldet log file events
-e, --report SCANID
View scan report of the most recent scan or provided SCANID
e.g: maldet --report
e.g: maldet --report 050910-1534.21135
e.g: maldet --report list (lists all available SCANIDs by time)
-s, --restore FILE
Restore file from quarantine queue to orginal path
e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
-q, --quarantine SCANID
Quarantine all malware from report SCANID
e.g: maldet --quarantine 050910-1534.21135
-n, --clean SCANID
Try to clean & restore malware hits from report SCANID
e.g: maldet --clean 050910-1534.21135
-p, --purge
Clear logs, quarantine queue, session and temporary data.
Common Tasks
Scanning in the Background
Screen Method This edit was by jeaton
Maldet now supports automatic backgrounding of scans, no need to run in a screen anymore, YAY! ***Warning this doesn't let you know when it's going to finish while running maldet -a will let you calculate a time when it will finish***
maldet -b -a /home/?/public_html
{scan} launching scan of /home/*/public_html to background, see /usr/local/maldetect/event_log for progress
Scanning all users public_html
Template:Warning cPanel - this does not work for Plesk (see below)
maldet -b -a /home/?/public_html
If the customer has multiple home directories like /home, /home2, /home4, etc, this should get them all:
maldet -b -a /hom?/?/public_html
Or for all cPanel users and a functional scan report which is not built off the whole of large webservers; this allows for ease of single user quarantine, edit $TICKETID:
for user in `ls -A1 /var/cpanel/users` ; do maldet -a /home?/"${user}"/public_html/ |grep 'malware hits [1-9]\|scanned: [1-9]' -A2|grep 'report' -B2;done | tee $TICKETID.maldet.log
Template:Note Example ways of viewing all:
[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212*
or just the files with
[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212-0146.903830 |cut -d: -f2-
[root@3281844] ~ >> grep "/home*/\|^{*}*:" /usr/local/maldetect/sess/session.052212* |cut -d: -f3-
Plesk on Linux
You will need to run both of these commands, as Plesk serves secure and non-secure content from different directories (although this can be managed from the Plesk control panel). Be sure to run them consecutively, not concurrently! It is not recommended to combine these lines into a single, double-wildcard command.
maldet -b -a /var/www/vhosts/?/httpdocs/ maldet -b -a /var/www/vhosts/?/httpsdocs/
Scanning a single user's public_html
cPanel
maldet -a /home/USERNAME/public_html/
Plesk on linux (run both of these)
maldet -a /var/www/vhosts/DOMAIN.COM/httpdocs/ maldet -a /var/www/vhosts/DOMAIN.COM/httpsdocs/
Scanning some, but not all public_html directories
This no longer works and needs updating.
Courtesy of Alex Kwiecinski:
First, you'll need a list of the infected accounts in a file. In this example, list.
Now, you can use this list in a for loop to scan them:
for each in `cat list` ; do maldet -a /home/$each/public_html | egrep '-report' >> results; echo "done with $each" ; done
The file results will give you the maldet --report references, so you can run that command to see what each scan found.
Scanning By Grouping Accounts
If you have a client who has just an excessive amount of accounts and files on their server, Maldet will "bork" if you try to run it on EVERY public_html/ directory, but it won't tell you until you have waited multiple hours before it tells you that it "borked". There is a way to do it by grouping accounts, and that can speed up your scans by not having to go account by account, but also won't break the scan either. It's REALLY easy formatting to do. Example, say I want to scan accounts that start with "a" to accounts that start with "c". Just do it like so:
maldet -a /home/[a-c]?/public_html/
That's it! Use your best judgement when deciding how many accounts to group together.
Scan recent changes
If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run the following.
maldet --scan-recent /home?/?/public_html 5
Quarantining a scan by ID
If you performed a scan and want to use the quarantine option, you could quarantine all malware results from the previous scan with:
maldet --quarantine SCANID
The better option, to chmod 000 all files in a scan:
cut -d':' -f 2 /usr/local/maldetect/sess/session.hits.$SCANID |xargs chmod 000
Cleaning a scan by ID
Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:
maldet --clean SCANID
Restoring a quarantined item
If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:
maldet --restore /usr/local/maldetect/quarantine/config.php.2384
Restoring by scan ID
Sometimes you may accidentally run a maldet without first making sure auto-quarantine is disabled. Not to worry, this can easily be fixed.
maldet --restore SCANID
Restoring ALL quarantined items
Do not do this blindly. Review the contents of /usr/local/maldetect/quarantine and be absolutely sure you wish to restore them all.
for i in `ls /usr/local/maldetect/quarantine|grep -v .info`; do maldet --restore $i; done
Marking Folders as ignored
Edit the following file and place the paths you want ignored in there line by line.
vim /usr/local/maldetect/ignore_paths
Example syntax below.
/home/helpmeou /home/tacodogs /home/menopaus /home/delilass /home/pensicol /home/drupalma
Now if i run a scan of the /home directory these users will be excluded.
Ignoring individual files
Additionally, you can ignore individual files in the same location
vim /usr/local/maldetect/ignore_paths
Example syntax below.
/home/helpmeou/public_html/classes/file/that/really_looks/like_a_virus/but_is_not.php
Now, if a scan hits that directory, it ignores that file. You might want to chattr +i that file too so it's protected in case they get hacked in the future
chattr +i /home/helpmeou/public_html/classes/file/that/really_looks/like_a_virus/but_is_not.php
Update Maldet to latest version
maldet --update-ver
[root@host.mydomain.com] ~ >> maldet --update-ver
Linux Malware Detect v1.3.7
(C) 2002-2010, R-fx Networks <proj@r-fx.org>
(C) 2010, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(1924): {update} checking for available updates...
maldet(1924): {update} new version 1.3.9 found, updating...
maldet(1924): {update} completed update v1.3.7 => v1.3.9, running signature updates...
maldet(2083): {sigup} performing signature update check...
maldet(2083): {sigup} local signature set is version 2011041215989
maldet(2083): {sigup} latest signature set already installed
maldet(1924): {update} update and config import completed.
Information pulled from here
Finding Lost Output/Where the logs go
Maldet run logs are stored in
/usr/local/maldetect
There are also session history logs in
/usr/local/maldetect/sess/
Long running maldet scan?
Check /usr/local/maldetect/event_log to ensure the clamscan binary is loaded. You should see a line that looks like the following:
maldet(19139): {scan} found ClamAV clamscan binary, using as scanner engine...
If the clamscan binary is not loaded, cancel the maldet and run the following to update maldet:
maldet -d maldet --update
You should now be able to run your maldet again and see the clamscan binary loaded.
If it does not:
Make sure the clamAV connector is installed in WHM >> Plugins, then:
<source lang='bash'> ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam </source>
How far along is the maldet?
run:
strace -p $(pgrep -o maldet) 2>&1| grep "stat(\"/home/"old boxes
to see what it is currently scanning.
for boxes using clamav definitions:
strace -p $(pgrep -o clamscan) 2>&1| egrep -o 'stat\(\"/home/([^\s]+)'
for a few second to see where it is at (ctrl c to stop)
is the scan running on all the users? if so, compare it with the list of users:
\ls /var/cpanel/users
to get an idea on where the scan is at.
Generate a list of flagged files
After running the maldet, tail the event log
tail -f /usr/local/maldetect/event_log
Once it's finished you will get something like this:
Feb 22 18:47:40 host maldet(29850): {scan} scan completed on /home/*/public_html: files 468099, malware hits 16, cleaned hits 0
Feb 22 18:47:40 host maldet(29850): {scan} scan report saved, to view run: maldet --report 022212-1818.29850
Feb 22 18:47:40 host maldet(29850): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 022212-1818.29850
you can run the suggested:
maldet --report 022212-1818.29850
to get a report.
Or you can run:
cat /usr/local/maldetect/sess/session.022212-1818.29850 |grep "/home" |grep -v "/home/\*/" |cut -d " " -f3
replacing the "022212-1818.29850" with the appropriate number in the event_log for your scan,
to generate a nice list of files for the customer.
cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last) |grep "/home" |grep -v "/home/\*/" |cut -d " " -f3
will use the last session
The following modification of the above will work for Plesk systems
cat /usr/local/maldetect/sess/session.033112-0011.789 |grep "/www" |cut -d " " -f3
wiki'd for copy posta
Post-Scan: Stat all the things
lastsess=`cat /usr/local/maldetect/sess/session.last` session="/usr/local/maldetect/sess/session.$lastsess" cp $session /root/maldet-full.log cat /root/maldet-full.log | grep -w public\_html | sed 1d | cut -f2 -d: > /root/maldet-files.log for file in `cat /root/maldet-files.log`; do `stat $file >> /root/maldet-stat.log`; done;
If you plan on pasting the stat results, do the following to separate each stat by a newline:
sed '0~7 a\ ' /root/maldet-stat.log > /root/maldet-newstat.log
New method:
<source lang='bash'>cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last)|tail -n +11|head -n -2|awk '{print $3}'|xargs stat -c"p:%a a:%x m:%y c:%z %n"|sort -k3</source>
Plesk
stat all the things from the last scan to /root/maldet-stat.txt separated by newlines:
cat /usr/local/maldetect/sess/session.$(cat /usr/local/maldetect/sess/session.last) |grep "/www" |cut -d " " -f3 |xargs stat | sed '0~7 a\ ' > /root/maldet-stat.txt
Realtime file monitoring
Troubleshooting the ClamAV binary (scans finish instantly with 0 hits)
When maldet uses the ClamAV binary, It's just calling a clamscan command using it's own signature files. For some reason, it calls this with errors piped to /dev/null. If there is a problem with clamav or the maldet databases, the maldet scan will finish instantly after the file list is created. This can now be fixed.
Run this to fix:
> /usr/local/maldetect/sigs/rfxn.hdb > /usr/local/maldetect/sigs/md5.dat > /usr/local/maldetect/sigs/hex.dat > /usr/local/maldetect/sigs/maldet.sigs.ver > /usr/local/maldetect/sigs/rfxn.ndb maldet -u
Maldet should then replace the databases and function normally. If one is malformed and the sigs.ver file is current, maldet -u won't fix it unless the above commands are run. If for some reason it's still broken, this might shed some light:
Make a file list (Pick a cPanel username for '$USERNAME'), and run clamAV with the maldet DB's as such:
find /home/$USERNAME/public_html > /home/temp/filelist clamscan -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb -r --infected --no-summary -f /home/temp/filelist
If you get this error, you've found your problem, and the above steps should have fixed it.
LibClamAV Error: Can't load /usr/local/maldetect/sigs/rfxn.ndb: Malformed database
The last thing to look at here that will "break" maldet with clamav scanning, is if one of these directories exists but does not contain signatures:
/var/lib/clamav /var/clamav
You can fix this with the steps under "Configure Maldet to also use ClamAV Sigs (cPanel servers)" to make sure that /var/lib/clamav contains symlinks to valid signature files.
Disappearing files after initial scan
Occasionally you may perform a scan, find a hit, then attempt to stat it because you're awesome, but the file is already gone.
Check to see if maldet is configured to automatically quarantine hits that it finds:
grep ^quarantine_hits /usr/local/maldetect/conf.maldet
If this is is 1, set it to 0 to disable maldet auto-quarantine on the hits it finds.
Remember to set this back to $customer_config after you perform your scans.
Thanks to tmead for the info
Maldet won't work on centOS4 (line 47: syntax error)
Maldet has this error when installed on centos4:
# maldet -a `pwd` /usr/local/sbin/maldet: line 47: conditional binary operator expected /usr/local/sbin/maldet: line 47: syntax error near `=~' /usr/local/sbin/maldet: line 47: ` if [[ "$args" =~ "modsec" ]]; then'
Cent4 doesn't have a new enough bash version to recognize =~ as a conditional operator. It was introduced in Bash 3, whereas cent4 has Bash 2.x.
The bandaid fix is to edit /usr/local/sbin/maldet and change =~ to =
This should allow maldet to work. If the scan finishes instantly with no results, and the above section does not fix it, you might also have to edit this line in /usr/local/sbin/maldet:
for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb $clamav_db -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do
Simply remove '$clamav_db', so the line becomes:
for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do
This is because there could be an issue with clamav's own definitions stopping maldet from using it. If you need further information on this, please ask me (akwiecinski).
Disable scanning /tmp on every scan
Maldet scans /tmp, /var/tmp, and /dev/shm on every scan now. This can be very annoying if you have to scan multiple accounts individually, and will throw off your file count like so:
<source lang="text">
maldet(622028): {scan} scan completed on /home/somedude/hisdir/: files 714, malware hits 0, cleaned hits 0
# ls -la /home/somedude/hisdir
-rw-r--r-- 1 somedude somedude 9001 Aug 23 13:31 datfile
</source>
User 'somedude' only has one file in the directory, yet maldet found 714 because 713 of those were in /tmp
To disable this, simply comment out this line ( tmpdir_paths="/dev/shm /tmp /var/tmp" ) in /usr/local/maldetect/maldet or use this handy one-liner to unset tmpdir_paths:
sed -i 's/tmpdir_paths="\/dev\/shm \/tmp \/var\/tmp"/tmpdir_paths=""/g' /usr/local/maldetect/maldet
Thank you AlexK for this info.
Additional Resources
http://www.webhostingtalk.com/wiki/Linux_Malware_Detect
Change Run Time
Either edit /etc/anacrontab to switch what time the /etc/cron.daily jobs start to a new time frame:
- the jobs will be started during the following hours only
- START_HOURS_RANGE=3-22
to
- START_HOURS_RANGE=14-16
- (guy lives in Thailand)
- or move that maldet crontab to the root crontab so you can have more fine control over when it starts.