Linux Malware Detect - antivirus for web servers

The Internet is no longer the same as before - there are enemies around. The topic of detecting a direct infection of a site and searching for malicious / infected scripts on a hacked site is poorly considered, we will try to fix it.
So, we present to your attention Linux Malware Detect.

Linux Malware Detect (LMD) is a Linux scanner designed to search for web shells, spam bots, trojans, malicious scripts and other typical threats specific to web spaces and is especially relevant for virtual shared hosting platforms. The main difference from other Linux antiviruses is its web-based, web site file scanning, because ordinary antiviruses are guided by more global system-level threats.

What can

• Search for threats on the MD5 database and recognition of the type of threat (for example, php.cmdshell.nan.296.HEX) on the HEX database.
• Statistical analysis of files for obfuscated malware and injections.
• Detection of ClamAV installed in the system for use as a scanner.
• Manual and automatic (crown) update signatures.
• Manual and automatic update of the version of the script itself.
• Ability to scan recently added / modified files (for example, for the last 2 days).
• The option to upload detected potential threats to the official website for analysis.
• Reporting system.
• Cleaning files from malicious injections.
• Crown blanks to run a regular scan of userspaces or other directories.
• Exception sets by extensions, signatures and paths.
• Ability to send scan results to e-mail.
• Real-time monitoring of created / modified / modified files using inotify_watch: monitoring selected users, directories or files.
• … And so on.

')

How it works

Scanning is performed using a custom grep-based script, and if ClamAV is installed on the system, then using clamscan. Similarly with signatures: the program has its signature database, but if ClamAV is installed in the system, it also uses its base.

Signature sources:

1. Slice network data. LMD developer is a hosting administrator for 35.000 sites, data is analyzed and processed daily. The main source of signatures.
2. Community data collected from antimalvar sites.
3. ClamAV, interchange signatures.
4. Data sent by users.

Signatures are updated almost daily, RSS feed with updates of signatures is present on the official website.

The scan results are saved to a file, and can also be sent to the e-mail specified in the config file. Alas, no integration with popular control panels, if you are a hoster, customers will have to send messages manually.

Integration with the popular ISPmanager and Cpanel panels would be a good contribution to the community (this is the case if you wish).

What does it give

• Allows you to monitor the security of your sites on VDS and DS.
• Hosters - daily scanning and sending alerts to customers will increase customer loyalty, which is often very far from knowledge of coding and the basics of security.
• If your site or client site is hacked - you will know about it either immediately (if real-time monitoring is enabled) or during the period selected for cron-scanning. After all, “forewarned means armed”: infected sites often become sources of spamming with all the consequences (for example, blacklisting of IP in DNSBL).

Typical Detection Examples

The scan report looks like this:

malware detect scan report for servername: SCAN ID: 090913-1000.17637 TIME: Sep 9 16:04:40 +0300 PATH: /var/www RANGE: 2 days TOTAL FILES: 151224 TOTAL HITS: 5 TOTAL CLEANED: 0 {HEX}php.cmdshell.unclassed.344 : www/user1/data/www/example.com/wp-content/plugins/7ja1i/nxeogyqbd3h.php {HEX}php.cmdshell.cih.215 : /var/www/user1/data/www/example.com/xyiznwsk/info.php {CAV}PHP.Trojan.Spambot : www/user1/data/www/example.com/wwp-content/plugins/customize-admin/bannerTQIz.php {HEX}php.nested.base64.513 : /var/www/user1/data/www/example.com/engine/modules/topnews.php {HEX}base64.inject.unclassed.6 : /var/www/user1/data/www/example.com/wp-content/plugins/wpematico/app/settings_page.php {HEX}gzbase64.inject.unclassed.14 : /var/www/user1/data/director/example.com/wp-content/themes/zenith/404.php 

Installation

Downloading:

 wget http://www.rfxn.com/downloads/maldetect-current.tar.gz 

Unpack:

 tar -zxvf maldetect-current.tar.gz 

Run the installation:

 sh ./install.sh 

When you run install.sh, the installer places the LMD files in / usr / local / maldetect, puts the executable script in / usr / local / sbin and libinotifytools.so.0 in / usr / lib.

The installation process automatically creates daily cron jobs for updating signatures and starting a scan. By default, the configuration shows typical paths for scanning Webspaces of popular control panels, such as ensim, psa, DirectAdmin, cpanel, interworx, and default apache paths for hosting sites (/ var / www / html, / usr / local / apache / htdocs). For ISPmanager, the path / var / www / will have to be added manually.

Customization

The LMD config is located in the /usr/local/maldetect/conf.maldet file.
The config is well documented and allows you to customize everything your heart desires.

On a note:

ionice -c 3 added to the startup lines of scripts for searching and scanning files will help prevent the load on the disk subsystem by setting the lowest i / o priority.

In the / usr / local / maldetect / maldet file
we find:

 find="$find" 

change to:

 find="ionice -c 3 $find" 

we find:

 clamscan="$clamscan" 

change to:

 clamscan="ionice -c 3 $clamscan" 

It should be noted that this solution is a kind of “crutch”, this option should be added to the upstream.

Typical commands

Run the scan of the specified directory:

 # maldet -a /home/user1/exapmle.com 

At the end we get the result of the form:

 maldet(24128): {scan} scan completed on example.com: files 4, malware hits 0, cleaned hits 0 maldet(24128): {scan} scan report saved, to view run: maldet --report 091713-1715.24128 

See the report:

 #maldet --report 091713-1715.24128 

Forcibly update bases with rfxn.com:

 #maldet -u 

Forced update of rfxn.com version:

 #maldet -d 

We scan all files that were changed in the last X days (in this case, 2) in the specified directory

 #maldet -r /home/user1/ 2 

We send an unknown vulnerability to rfxn.com:

 #maldet -c /home/user1/file.php 

Quarantine SCANID scan results (id from scan results)

 #maldet -q 091713-1715.24128 

Trying to clear scan results

 #maldet -n, --clean 091713-1715.24128 

The program is licensed under the GNU GPLv2.
Official project page: http://www.rfxn.com/projects/linux-malware-detect Linux Malware Detect.

I have experience of use and settings, I will gladly answer all questions in the comments.