How to detect malware on Linux with LMD

If you are running a mission-critical web server, or managing shared hosting environments on Linux, chances are that you constantly watch out for potential threats from Linux malware such as viruses, trojans, rootkits and worms. While staying up-to-date with the latest server hardening guides is a must to prevent any future attack, you may wish to add malware detection tools to your arsenal for extra security.

Linux Malware Detect (LMD) is a freeware malware scanning tool for Linux. In this guide, I will show you how to install and configure LMD to scan for malware on your Linux system.

In order to install LMD on Linux, run the following.

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar xvfvz maldetect-current.tar.gz
$ cd maldetect-1.4.2
$ sudo ./install.sh
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks 
            (C) 2011, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(6073): {sigup} performing signature update check...
maldet(6073): {sigup} local signature set is version 201205035915
maldet(6073): {sigup} new signature set (2013031328301) available
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(6073): {sigup} signature set update completed
maldet(6073): {sigup} 10849 signatures (8981 MD5 / 1868 HEX)

After installation, daily cron job is added in /etc/cron.daily/maldet, which checks for the latest version of LMD and malware definition/signature files, and update them automatically. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware.

To initiate malware scanning manually, run maldet with a target folder to scan.

$ sudo maldet --scan-all /home
maldet(27752): {scan} signatures loaded: 10849 (8981 MD5 / 1868 HEX)
maldet(27752): {scan} building file list for /home, this might take awhile...
maldet(27752): {scan} file list completed, found 20586 files...
maldet(27752): {scan} 20586/20586 files scanned: 1 hits 0 cleaned
maldet(27752): {scan} scan completed on /home: files 20586, malware hits 1, cleaned hits 0
maldet(27752): {scan} scan report saved, to view run: maldet --report 032813-1606.27752
maldet(27752): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 032813-1606.27752

After scanning, you can examine malware scan report by running the following command with the scan report ID.

$ sudo maldet --report 032813-1606.27752
malware detect scan report for my_host:
SCAN ID: 032813-1606.27752
TIME: Mar 28 16:33:36 -0700
PATH: /home
TOTAL FILES: 20586
TOTAL HITS: 1
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 032813-1606.27752
FILE HIT LIST:
{MD5}gzbase64.inject.unclassed.1110 : /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.

$ sudo maldet -q 032813-1606.27752
maldet(14738): {quar} malware quarantined from '/home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.10045'
maldet(14738): {clean} restoring /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.10045 for cleaning attempt
maldet(14738): {clean} trying to clean /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed with gzbase64.inject.unclassed rule
maldet(14738): {clean} rescanning /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed for malware hits
maldet(14738): {clean} clean successful on /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed

If you want to actively monitor specific directories for malware infection, you can run maldet as a daemon as follows.

$ sudo maldet -m /var,/home/xmodulo
maldet(5330): {mon} set inotify max_user_instances to 128
maldet(5330): {mon} set inotify max_user_watches to 61440
maldet(5330): {mon} added /var to inotify monitoring array
maldet(5330): {mon} added /home/xmodulo to inotify monitoring array
maldet(5330): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(5330): {mon} inotify startup successful (pid: 5409)
maldet(5330): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

If you want to have maldet alert you on detected malware by email, you can modify maldet configuration as follows.

$ sudo vi /usr/local/maldetect/conf.maldet
email_alert=1
email_subj="Malware detected by maldet"
email_addr="alert@xmodulo.com"

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

One thought on “How to detect malware on Linux with LMD

  1. Hi. Thanks for the post. I ran this manually on my linux server and got a hit which the detector cleaned.

    I am looking to see if the cron job is functioning and if it is getting any hits. I see that it can send emails, but do you know if LMD logs or writes scan reports for the automatic scans?

    Thanks,

    Tim

Leave a comment

Your email address will not be published. Required fields are marked *

Current day month ye@r *