Linux Malware Detection

LINUX/TechLab lmd/maldet/malware March 18, 2020March 18, 2020

Linux Malware Detection

Im running CentOS in the lab environment, running into some issues with NOC saying botnet hijacked one or some of my hosts. Installing LMD found in the epel-release.

yum -y install epel-release

Also need to make sure inotify so that LMD can have to the inotifywait command when its scanning

yum -y install inotify-tools

Installing LMD is also pretty straight forward

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract it and run the install.sh script

Configure Linux Malware Detection in the /usr/local/maldetect/conf.maldet, look for the clamscan="1" and quarantine_clean="1". Now Im scanning for everything in /var/www/html so to run it;

maldet -a /var/www/html

This process takes a while!

# maldet -a /var/www/html/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(6887): {scan} signatures loaded: 17029 (14209 MD5 | 2035 HEX | 785 YARA | 0 USER)
maldet(6887): {scan} building file list for /var/www/html/, this might take awhile...
maldet(6887): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(6887): {scan} file list completed in 68s, found 468811 files...
maldet(6887): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(6887): {scan} scan of /var/www/html/ (468811 files) in progress...