Using MalDet to Protect Servers from Malware and Spammers¶
Linux Malware Detect, or MalDet, is a third party program, specifically designed to detect malware in shared hosting environments. While InterWorx is not affiliated with MalDet and does not directly support it, it can be a useful tool for identifying and eliminating malware that may be used to send spam from the server.
Detailed information on MalDet can be found here.
Note
A full listing of MalDet’s options can be found in the README file, or by running maldet –help
after installation.
Installing MalDet¶
Log in to the server at the CLI as root, either via SSH or from the terminal
Download the tarball for the current version of Maldet, using
wget
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Using
tar
, extract the filetar -zxvf maldetect-current.tar.gz
Navigate to the directory where the contents of the tar file were extracted. This will reside in the current directory, and be named
maldetect-[current-version]
. In this example, the current version is 1.6.4cd maldetect-1.6.4/
Run the install script, located in that directory
./install.sh
Running a Scan¶
Log in to the server at the CLI as root, either via SSH or from the terminal
Run
maldet -a
with the directory to be scanned. For example, to scan all files in the/chroot/home
directory:[root@server ~]# maldet -a /chroot/home/ Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@rfxn.com> (C) 2019, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(1578): {scan} signatures loaded: 17189 (14367 MD5 | 2039 HEX | 783 YARA | 0 USER) maldet(1578): {scan} building file list for /chroot/home/, this might take awhile... maldet(1578): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(1578): {scan} file list completed in 0s, found 1513 files... maldet(1578): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine... maldet(1578): {scan} scan of /chroot/home/ (1513 files) in progress... maldet(1578): {scan} scan completed on /chroot/home/: files 1513, malware hits 0, cleaned hits 0, time 34s maldet(1578): {scan} scan report saved, to view run: maldet --report 210130-1407.1578 [root@server ~]#
After the scan is complete, it will provide a report of its findings (see last line in the example output above). Running the provided command (
maldet --report [report number]
), provides a report of what files were scanned and the findings, if anyHOST: SCAN ID: 210130-1407.1578com STARTED: Jan 30 2021 14:07:20 -0500 COMPLETED: Jan 30 2021 14:07:54 -0500 ELAPSED: 34s [find: 0s] PATH: /chroot/home/ TOTAL FILES: 1513 TOTAL HITS: 0 TOTAL CLEANED: 0 =============================================== Linux Malware Detect v1.6.4 < proj@rfxn.com >