[HowTo] Install and use (LMD) Linux Malware Detect, ClamAV with VestaCP on CentOS 7 / RHEL 7

[xorro]

Many people get upset with getting hacked and they think this is a problem with vestacp only well no this is not VESTACP fault this is your fault because you are the one who is not able to secure your server. Enough of blaming you guys lol let's get this fixed.

Project: https://github.com/rfxn/linux-malware-detect
Project: http://www.rfxn.com/projects/linux-malware-detect/

LMD is not available on CentOS official repositories as a pre-built package, but it is available as a tarball from the LMD project web site.

Download the latest version of LMD using the following command.

Code: Select all

cd /tmp/
curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpack the tarball and get into the extracted directory.

Code: Select all

tar -zxvf maldetect-current.tar.gz
cd maldetect*

Run the installation script install.sh present in the extracted directory.

Code: Select all

bash install.sh

Installation Output:

Code: Select all

Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
 (C) 2002-2017, R-fx Networks <[email protected]>
 (C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)

The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.

Code: Select all

nano /usr/local/maldetect/conf.maldet

Below are some of the important settings you should have it on your system for successful detection and deletion of threats.

Code: Select all

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="[email protected]"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found.
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Skip to scanning for malware if you do not want to use LMD with ClamAV. ClamAV comes pre-installed with VestaCP so if you are using VestaCP You can ignore steps below with somehow if you have removed ClamAV from your VestaCP vps or not using VestaCP then use steps below to install ClamAV.

LMD with ClamAV
LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.

ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.

Code: Select all

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install ClamAV using YUM command.

Code: Select all

yum -y install clamav clamav-devel clamav-update inotify-tools

Now, update the ClamAV virus databases using the following command.

Code: Select all

freshclam

No additional configuration is required with LMD as the use of ClamAV with LMD is enabled by default.

Test LMD

Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.

Code: Select all

cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip

Now, scan the directory for malware.

Code: Select all

maldet -a /tmp

Output:

Code: Select all

Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <[email protected]>
            (C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2004): {scan} signatures loaded: 15215 (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
maldet(2004): {scan} building file list for /tmp, this might take awhile...
maldet(2004): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2004): {scan} file list completed in 0s, found 74 files...
maldet(2004): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(2004): {scan} scan of /tmp (74 files) in progress...
maldet(2004): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(2004): {scan} scan completed on /tmp: files 74, malware hits 2, cleaned hits 0, time 11s
maldet(2004): {scan} scan report saved, to view run: maldet --report 180814-1254.2018
maldet(2004): {alert} sent scan report to [email protected]

From the output, you can see that LMD is using ClamAV scanner engine to perform the scan and resulted in finding two malware hits.

LMD Scan Report
LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.

Code: Select all

maldet --report 170808-1035.18497

Output:

Code: Select all

SUBJECT: maldet alert from server.root.local
HOST:      lmddd
SCAN ID:   180814-1254.2018
STARTED:   Aug 14 2018 10:58:20 +0000
COMPLETED: Aug 14 2018 13:02:31 +0000
ELAPSED:   11s [find: 0s]

PATH:          /tmp
TOTAL FILES:   74
TOTAL HITS:    2
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.215484128
{HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.534568742
===============================================
Linux Malware Detect v1.6.2 < [email protected] >

You can see that both files are now quarantined.

Extra Commands & Details
You can then remove all quarantined files with:

Code: Select all

rm -rf /usr/local/maldetect/quarantine/*

Or use command below to clean with maldet

Code: Select all

maldet --clean SCANID

Since maldet needs to be integrated with cron, you need to set the following variables in root’s crontab (type crontab -e as root and hit the Enter key) in case that you notice that LMD is not running correctly on a daily basis:

Code: Select all

PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash

You can add cronjob via VestaCP also.

To check email report from LMD use this command.

Code: Select all

tail -f /var/mail/root

Perform a scan for specific file extention only:

Code: Select all

maldet -a /var/www/html/*.php

Get a list of all reports:

Code: Select all

maldet -e list

Scan files that have been created/modified in the last X days.

Code: Select all

maldet -r /var/www/html/ 5

5 = the last days.

Restore files from the quarantine directory.

Code: Select all

maldet -s SCANID

Enable monitoring of a directory.

Code: Select all

maldet -m /var/www/html/

Check the monitor log file:

Code: Select all

tail -f /usr/local/maldetect/logs/inotify_log

Use the following command to update your LMD.

Code: Select all

maldet -d

To update LMD signatures, run:

Code: Select all

maldet -u