Using MalDet to Protect Servers from Malware and Spammers

Linux Malware Detect, or MalDet, is a third party program, specifically designed to detect malware in shared hosting environments. While InterWorx is not affiliated with MalDet and does not directly support it, it can be a useful tool for identifying and eliminating malware that may be used to send spam from the server.

Detailed information on MalDet can be found here.

Note

A full listing of MalDet’s options can be found in the README file, or by running maldet –help after installation.

Installing MalDet

  1. Log in to the server at the CLI as root, either via SSH or from the terminal

  2. Download the tarball for the current version of Maldet, using wget

    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

  3. Using tar, extract the file

    tar -zxvf maldetect-current.tar.gz

  4. Navigate to the directory where the contents of the tar file were extracted. This will reside in the current directory, and be named maldetect-[current-version]. In this example, the current version is 1.6.4

    cd maldetect-1.6.4/

  5. Run the install script, located in that directory

    ./install.sh

Running a Scan

  1. Log in to the server at the CLI as root, either via SSH or from the terminal

  2. Run maldet -a with the directory to be scanned. For example, to scan all files in the /chroot/home directory:

    [root@server ~]# maldet -a /chroot/home/
Linux Malware Detect v1.6.4
      (C) 2002-2019, R-fx Networks <proj@rfxn.com>
      (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1578): {scan} signatures loaded: 17189 (14367 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(1578): {scan} building file list for /chroot/home/, this might take awhile...
maldet(1578): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1578): {scan} file list completed in 0s, found 1513 files...
maldet(1578): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(1578): {scan} scan of /chroot/home/ (1513 files) in progress...

maldet(1578): {scan} scan completed on /chroot/home/: files 1513, malware hits 0, cleaned hits 0, time 34s
maldet(1578): {scan} scan report saved, to view run: maldet --report 210130-1407.1578
[root@server ~]#

  3. After the scan is complete, it will provide a report of its findings (see last line in the example output above). Running the provided command (maldet --report [report number]), provides a report of what files were scanned and the findings, if any

      HOST:
  SCAN ID:   210130-1407.1578com
  STARTED:   Jan 30 2021 14:07:20 -0500
  COMPLETED: Jan 30 2021 14:07:54 -0500
  ELAPSED:   34s [find: 0s]

  PATH:          /chroot/home/
  TOTAL FILES:   1513
  TOTAL HITS:    0
  TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >