rfxn / linux-malware-detect Goto Github PK

Linux Malware Detection (LMD)

Home Page: http://www.rfxn.com/projects/linux-malware-detect/

License: GNU General Public License v2.0

Shell 69.45% Perl 5.06% Roff 25.49%

linux-malware-detect's Introduction

Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks <[email protected]>
            (C) 2023, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

::::::::::::::::::::::::::::::::::

:: CONTENTS ::
.: 1 [ DESCRIPTION ]
.: 2 [ FEATURES ]
.: 3 [ THREAT SOURCE DATA ]
.: 4 [ RELEASE UPDATES ]
.: 4.1 [ SIGNATURE UPDATES ]
.: 5 [ DETECTED THREATS ]
.: 6 [ THREAT SHARING ]
.: 7 [ CONFIGURATION ]
.: 8 [ IGNORE OPTIONS ]
.: 9 [ CLI USAGE ]
.: 10 [ CRON DAILY ]
.: 11 [ INOTIFY MONITORING ]
.: 12 [ MODSECURITY2 UPLOAD SCANNING ]
.: 13 [ CLEANER RULES ]

::::::::::::::::::::::::::::::::::

.: 1 [ DESCRIPTION ]

Linux Malware Detect (LMD) is a malware scanner for Linux released under the 
GNU GPLv2 license, that is designed around the threats faced in shared hosted 
environments. It uses threat data from network edge intrusion detection 
systems to extract malware that is actively being used in attacks and 
generates signatures for detection. In addition, threat data is also derived 
from user submissions with the LMD checkout feature and from malware 
community resources. The signatures that LMD uses are MD5 file hashes and HEX 
pattern matches, they are also easily exported to any number of detection 
tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability 
of open source/restriction free tools for Linux systems that focus on malware 
detection and more important that get it right. Many of the AV products that 
perform malware detection on Linux have a very poor track record of detecting 
threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the 
standard AV products detection suite in that they are detecting primarily OS 
level trojans, rootkits and traditional file-infecting viruses but missing 
the ever increasing variety of malware on the user account level which serves 
as an attack platform.

Using the CYMRU malware hash registry, which provides malware detection data 
for 30 major AV packages, we can demonstrate this short coming in current 
threat detection. The following is an analysis of 8,882 MD5 hashes that ship 
in LMD 1.5 and the percentage of major AV products that currently detect 
the hashes.

KNOWN MALWARE:      1951
 % AV DETECT (AVG):  58
 % AV DETECT (LOW):  10
 % AV DETECT (HIGH): 100
UNKNOWN MALWARE:    6931

What this information means, is that of the 8,883 hashes, 78% or 6,931 malware threats
are NOT detected by top-30 AV products. The 1,951 detected malware threats that are known
have an average detection rate of 58% among top-30 AV products with a low and high
detection rate of 10% and 100% respectively. This clearly demonstrates the significant
lapse in user space malware detection that top-30 AV products currently provide. It is for
this reason LMD was created, to fill a void, specifically for shared hosted environments.

.: 2 [ FEATURES ]

- MD5 file hash detection for quick threat identification
- HEX based pattern matching for identifying threat variants
- statistical analysis component for detection of obfuscated threats (e.g: base64)
- integrated detection of ClamAV to use as scanner engine for improved performance
- integrated signature update feature with -u|--update
- integrated version update feature with -d|--update-ver
- scan-recent option to scan only files that have been added/changed in X days
- scan-all option for full path based scanning
- checkout option to upload suspected malware to rfxn.com for review / hashing
- full reporting system to view current and previous scan results
- quarantine queue that stores threats in a safe fashion with no permissions
- quarantine batching option to quarantine the results of a current or past scans
- quarantine restore option to restore files to original path, owner and perms
- quarantine suspend account option to Cpanel suspend or shell revoke users
- cleaner rules to attempt removal of malware injected strings
- cleaner batching option to attempt cleaning of previous scan reports
- cleaner rules to remove base64 and gzinflate(base64 injected malware
- daily cron based scanning of all changes in last 24h in user homedirs
- daily cron script compatible with stock RH style systems, Cpanel & Ensim
- kernel based inotify real time file scanning of created/modified/moved files
- kernel inotify monitor that can take path data from STDIN or FILE
- kernel inotify monitor convenience feature to monitor system users
- kernel inotify monitor can be restricted to a configurable user html root
- kernel inotify monitor with dynamic sysctl limits for optimal performance
- kernel inotify alerting through daily and/or optional weekly reports
- HTTP upload scanning through mod_security2 inspectFile hook
- e-mail alert reporting after every scan execution (manual & daily)
- path, extension and signature based ignore options
- background scanner option for unattended scan operations
- verbose logging & output of all actions


.: 3 [ THREAT SOURCE DATA ]

The defining difference with LMD is that it doesn't just detect malware based 
on signatures/hashes that someone else generated but rather it is an 
encompassing project that actively tracks in the wild threats and generates 
signatures based on those real world threats that are currently circulating.

There are four main sources for malware data that is used to generate LMD 
signatures:
- Network Edge IPS: Through networks managed as part of my day-to-day job,
primarily web hosting related, our web servers receive a large amount of daily
abuse events, all of which is logged by our network edge IPS. The IPS events
are processed to extract malware url's, decode POST payload and base64/gzip
encoded abuse data and ultimately that malware is retrieved, reviewed, classified
and then signatures generated as appropriate. The vast majority of LMD signatures
have been derived from IPS extracted data.

The network I manage hosts over 35,000 web sites and as 
such receives a large amount of daily abuse, all of which is logged by our 
network edge IPS. The IPS events are processed to extract malware url's, 
decode POST payload and base64/gzip encoded abuse data and ultimately that 
malware is retrieved, reviewed, classified and then signatures generated as 
appropriate. The vast majority of LMD signatures have been derived from IPS 
extracted data.
 - Community Data: Data is aggregated from multiple community malware websites 
such as clean-mx and malwaredomainlist then processed to retrieve new 
malware, review, classify and then generate signatures.
 - ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for 
relevant updates that apply to the target user group of LMD and added to the 
project as appropriate. To date there has been roughly 400 signatures ported 
from ClamAV while the LMD project has contributed back to ClamAV by 
submitting over 1,100 signatures and continues to do so on an ongoing basis.
 - User Submission: LMD has a checkout feature that allows users to submit 
suspected malware for review, this has grown into a very popular feature and 
generates on average about 30-50 submissions per week.

.: 4 [ RELEASE UPDATES ]
Updates to the release version of LMD are not automatically installed but can
be installed using the --update-ver option. There is good reasons that this is
not done automatically and I really dont feel like listing them so just think
about it a bit.

The latest changes in the release version can always be viewed at:
http://www.rfxn.com/appdocs/CHANGELOG.maldetect

.: 4.1 [ SIGNATURE UPDATES ]

The LMD signatures are updated typically once per day or more frequently
depending on incoming threat data from the LMD checkout feature, IPS malware
extraction and other sources. The updating of signatures in LMD installations
is performed daily through the default cron.daily script with the --update
option, which can be run manually at any time.

An RSS & XML data source is available for tracking malware threat updates:
RSS Recent Signatures: http://www.rfxn.com/api/lmd
XML Recent Signatures: http://www.rfxn.com/api/lmd?id=recent
XML All Signatures:    http://www.rfxn.com/api/lmd?id=all

.: 5 [ DETECTED THREATS ]

LMD 1.6 has a total of 11,061 (9,121 MD5 / 1940 HEX) signatures (before updates),
below is a listing of the top 60 threats by prevalence detected by LMD.

base64.inject.unclassed    bin.dccserv.irsexxy      bin.fakeproc.Xnuxer
bin.ircbot.nbot            bin.ircbot.php3          bin.ircbot.unclassed
bin.pktflood.ABC123        bin.pktflood.osf         bin.trojan.linuxsmalli
c.ircbot.tsunami           exp.linux.rstb           exp.linux.unclassed
exp.setuid0.unclassed      gzbase64.inject          html.phishing.auc61
html.phishing.hsbc         perl.connback.DataCha0s  perl.connback.N2
perl.cpanel.cpwrap         perl.mailer.yellsoft     perl.ircbot.atrixteam
perl.ircbot.bRuNo          perl.ircbot.Clx          perl.ircbot.devil
perl.ircbot.fx29           perl.ircbot.magnum       perl.ircbot.oldwolf
perl.ircbot.putr4XtReme    perl.ircbot.rafflesia    perl.ircbot.UberCracker
perl.ircbot.xdh            perl.ircbot.xscan        perl.shell.cbLorD
perl.shell.cgitelnet       php.cmdshell.c100        php.cmdshell.c99
php.cmdshell.cih           php.cmdshell.egyspider   php.cmdshell.fx29
php.cmdshell.ItsmYarD      php.cmdshell.Ketemu      php.cmdshell.N3tshell
php.cmdshell.r57           php.cmdshell.unclassed   php.defash.buno
php.exe.globals            php.include.remote       php.ircbot.InsideTeam
php.ircbot.lolwut          php.ircbot.sniper        php.ircbot.vj_denie
php.mailer.10hack          php.mailer.bombam        php.mailer.PostMan
php.phishing.AliKay        php.phishing.mrbrain     php.phishing.ReZulT
php.pktflood.oey           php.shell.rc99           php.shell.shellcomm

.: 6 [ THREAT SHARING ]

I am a firm believer in not reinventing the wheel, for my own sanity or that
of others. As such all unique threat data is submitted to CYMRU & ClamAV so
that the open source and anti-malware community at large can grow from this
project.

.: 7 [ CONFIGURATION ]

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet
and all options are well commented for ease of configuration.

By default LMD has the auto-quarantine of files disabled, this will mean that
YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the '-q'
option to batch quarantine the results. To change this please set
quarantine_hits=1 in conf.maldet.

.: 8 [ IGNORE OPTIONS ]

There are four ignore files available and they break down as follows:

/usr/local/maldetect/ignore_paths
A line spaced file for paths that are to be excluded from search results
 Sample ignore entry:
 /home/user/public_html/cgi-bin

/usr/local/maldetect/ignore_file_ext
A line spaced file for file extensions to be excluded from search results
 Sample ignore entry:
 .js
 .css

/usr/local/maldetect/ignore_sigs
A line spaced file for signatures that should be removed from file scanning
 Sample ignore entry:
 base64.inject.unclassed

/usr/local/maldetect/ignore_inotify
A line spaced file for regexp paths that are excluded from inotify monitoring
 Sample ignore entry:
 ^/home/user$
 ^/var/tmp/#sql_.*\.MYD$

.: 9 [ CLI USAGE ]

Once LMD is installed it can be run through the 'maldet' command, the '--help'
option gives a detailed summary of usage options:

    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -m, --monitor USERS|PATHS|FILE
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill
       Terminate inotify monitoring service

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID [email protected]

    -E, --dump-report SCANID
       Similar to -e/--report except dumps the report to stdout instead.
       e.g: maldet --dump-report
       e.g: maldet --dump-report 050910-1534.21135

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option [email protected],quarantine_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

.: 10 [ CRON DAILY ]

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used
to perform a daily update of signatures, keep the session, temp and quarantine
data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports a variety of control panel systems or standard Linux
/home*/user paths. 

If you are running monitor mode, the daily scans will be skipped and instead a
daily report will be issued for all monitoring events. 

If you need to scan additional paths, you should review the cronjob and use one
of the customization hook files, such as '/usr/local/maldetect/cron/custom.cron',
to write in custom scanning execution. For configuration based cron changes, you
can redefine any conf.maldet variables at '/etc/sysconfig/maldet' or 
'/usr/local/maldetect/cron/conf.maldet.cron'.

.: 11 [ INOTIFY MONITORING ]

The inotify monitoring feature is designed to monitor users in real-time for
file creation/modify/move operations. This option requires a kernel that
supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+
and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider
an inbox upgrade with: http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate
to what will be monitored, they are USERS|PATHS|FILES. 
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:
USERS -  The users option will take the homedirs of all system users that are
         above inotify_minuid and monitor them. If inotify_webdir is set then
         the users webdir, if it exists, will only be monitored.
PATHS -  A comma spaced list of paths to monitor
FILE  -  A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on
the option specified followed by starting the inotify process. The starting of
the inotify process can be a time consuming task as it needs to setup a monitor
hook for every file under the monitored paths. Although the startup process can
impact the load temporarily, once the process has started it maintains all of
its resources inside kernel memory and has a very small userspace footprint in
memory or cpu usage.

The scanner component of the monitor watches for notifications from the inotify
process and batches items to be scanned, by default, every 30 seconds. If you
need tighter control of the scanning timer, you can edit inotify_stime in
conf.maldet.

The alerting of file hits under monitor mode is handled through a daily report
instead of sending an email on every hit. The cron.daily job installed by LMD
will call an --alert-daily flag and send an alert for the last days hits. There
is also an --alert-weekly option that can be used, simply edit the cron at
/etc/cron.daily/maldet and change the --alert-daily to --alert-weekly.

Terminating the inotify monitoring is done by passing the '-k|--kill-monitor'
option to maldet, it will touch a file handle monitored by maldet and on the
next waking cycle of the monitor service, it will terminate itself and all
inotify processes.

.: 12 [ MODSECURITY2 UPLOAD SCANNING ]

The support for HTTP upload scanning is provided through mod_security2's inspectFile hook.
This feature allows for a validation script to be used in permitting or denying an upload. 

The convenience script to facilitate this is called hookscan.sh and is located in the
/usr/local/maldetect installation path. The default setup is to run a standard maldet scan
with no clamav support, no cleaner rule executions and quarantining enabled; these options
are set in the interest of performance vs accuracy which is a fair tradeoff. 

The scan options can be modified in the hookscan.sh file if so desired, the default
scan options are as follows:
--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0 --modsec -a "$file"

There is a tangible performance difference in disabling clamav scanning in this usage
scenario. The native LMD scanner engine is much faster than the clamav scanner engine
in single file scans by a wide margin. A single file scan using clamav takes roughly
3sec on average while the LMD scanner engine takes 0.5sec or less.

To enable upload scanning with mod_security2 you must set enable the scan_user_access option
in conf.maldet (scan_user_access=1) then add the following rules to your mod_security2 
configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers
or at the top of the appropriate rules file for your setup.

/usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file):
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"

If using ModSecurity >=2.9, you should set 'SecTmpSaveUploadedFiles On' before the
'SecRule FILES_TMPNAMES' line.

A restart of the Apache service is required following these changes.

When an upload takes place that is determined to be malware, it will be rejected and an
entry will appear in the mod_security2 SecAuditLog file. On cpanel servers and most
configurations this is the modsec_audit.log located under /usr/local/apache/logs or 
/var/log/httpd.

The log entry will appear similar to the following:
Message: Access denied with code 406 (phase 2). File "/tmp/20121120-....-file" rejected by
the approver script "/usr/local/maldetect/hookscan.sh": 0 maldet: {HEX}php.cmdshell.r57.317
/tmp/20121120-....-file [file "/usr/local/apache/conf/modsec2.user.conf"] [line "3"]
[severity "CRITICAL"]

The default alerting options will apply and an e-mail will be sent when hits are found. This
can be changed in the hookscan.sh script by editing the --config-option values.

To disable alerts append email_alert=0 to the --config-option values:
--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0,email_alert=0

To change the e-mail address for alerts on upload hits, append [email protected]
to the --config-option values:
--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0,[email protected]

The nature of uploads is such that they are performed either under the user that the HTTP
service is running as or under that of a system user in an suexec style setup (i.e: phpsuexec).
This required a change to the way LMD stores session, temporary and quarantine data to allow
for non-root users to perform scans.

Given that the maldetect installation path is owned by user root, we either need to set a pub
path world writable (777) or populate the pub path with user owned paths. It was undesirable
to set any path world writable and as such a feature to populate path data was created. This
feature is controlled with the --mkpubpaths flag and is executed from cron every 10 minutes,
it will only execute if the scan_user_access variable is enabled in conf.maldet. As such, it is
important to make sure the scan_user_access variable is set to enabled (1) in conf.maldet and it is
advised to run 'maldet --mkpubpaths' manually to prepopulate the user paths. There after, the
cron will ensure new users have paths created no later than 10 minutes after creation.

All non-root scans, such as those performed under mod_security2, will be stored under the
/usr/local/maldetect/pub/username directory tree. The quarantine paths are relative to the user
that executes the scan, so user nobody would be under pub/nobody/quar/. The actual paths
for where files are quarantined and the user which executed the scan, can be verified in the
e-mail reports for upload hits.

To restore files quarantined under non-root users, you must pass the -U|--user option to LMD,
for example if user nobody quarantined a file you would like to restore, it can be restored as
follows:
maldet --user nobody /usr/local/maldetect/pub/nobody/quar/20121120-file-SFwTeu.22408

Or, as always the scan ID can be used to restore
maldet --user nobody 112012-0032.13771

.: 13 [ CLEANER RULES ]

The cleaner function looks for signature-named rules under the clean/ path,
these rules can consist of any command that is designed to clean a file of
malware. A cleaner rule must result in a file being able to pass a scan
without tripping a HIT otherwise it will classify the clean action as FAILED.

Let us assume for a moment we have malware that we want to clean and it trips
with the signature "{HEX}php.cmdshell.r57.89". The actual signature string in
this is "php.cmdshell.r57", the "{HEX}" just defines the format and ".89" is
the variant number. So, to create a clean rule for php.cmdshell.r57 we would
add a file 'clean/php.cmdshell.r57' and this would be executed against any
file that hits on the signature of the same name.

The actual contents of the rule should be a single line command that will be
executed against the hit file, for example the execution looks something like:

YOUR_COMMAND MALWARE_FILE

So, for a string based malware injection you could easily throw in a 'sed -i'
into the rule file with the appropriate pattern to strip the string(s) from
the file. Once the clean command has run, a rescan will be performed on the
file and if it causes causes a hit, the clean will be marked as FAILED. A
successful clean ALWAYS results in the file being restored if possible to
its original path, owner and mode.

An important note is that the cleaner function is a subfunction of the
quarantine, so if the quarantine is disabled then by default, malware hits
will not have clean attempts made. There are two ways around this, apart from
the obvious of turning on quarantine and rescanning (which is a waste of time).
The best way is to enable the quarantine and then use the -q|--quarantine flag
to batch through the scan results, which will quarantine and clean files. The
second is to use the -n|--clean flag which will try to clean files in place,
be that in the quarantine or the files original path, wherever it can be found.

e.g: maldet -q SCANID
e.g: maldet --clean SCANID

linux-malware-detect's People

Contributors

Stargazers

Watchers

Forkers

waja shekkbuilder abrenner developerspl vmajor raicabogdan cnbird1999 loveshell steadramon mattsmitton gazoo squantrill tjm gimmeangel maxxer zysyl cloudxtreme kernux eldondevcg adamjakab ac0lyte tripflex sjas gns-support j4w3d sw1ftsure alexandregz toxitux jamesgiroux deriamis jaymaree oucsaw wxdublin synchroack fo0nikens securitytw draekko tobyx 0x0mar niladam kerneltravel signedbytes samyoyo securityigi ght308 javiertury r00tak m4t3o karzsghr guardianrg securitywarrior psiau devslashnull jnorell royaflash zvanderbilt szepeviktor spnow redteamcaliber curehsu yashodhank c-tamias35 florianheigl mzoum jijicanyu demarica magnologan antonini dikien tedwardia olivierh59500 tobey123 toughie88 awesome-security minkione lassos gorelics pombredanne samjaninf adamnugraha secsecsec rthunoli richardferaro mostafahussein osogama luqmanzagi dexter369 primmus cyberpods mkubenka charlespetchsy ajankefoundation descrepes stevenchen0x01 joshua-snapp 5up3rc arryboom kernullist heikipikker averonesis

linux-malware-detect's Issues

MAJOR - All files detected as {CAV}lstat()

All in the title

False positive on Admin Page Framework (WordPress plugin and theme framework)

Hi Ryan,

First of all, great job on developing the software that helps many shared host services as well as developers concerned with servers which deal with various types of files.

I write PHP scripts and publish them and it seems your software Linux Malware Detect v1.4.2 flags some of my work as malware.

It is a part of the program named Admin Page Framework and it includes a minified version that compresses the entire project files into one file.

{HEX}php.nested.jpexp.531 : admin-page-framework/library/admin-page-framework.min.php

(file)

Also the file based on it for a different WordPress plugin named Fetch Tweets gets flagged as malware as well. (file)

It seems code that contains the following string (and a pattern behind it which I do not know) gets a false positive.

']; $GLOBALS['some_characters_admin

I think it is a common variable name combination and should be avoided from being flagged.

If there is a reason that my programs got targeted as malware, I'd like to know the reasons. If not, could you update the definitions not to flag them as malware?

Thank you.

ignore_file_ext matching files in run directory causes find error

I've noticed my crons don't work if I have files in the cron users homedir that matches anything in ignore_file_ext

If there are more than two files in the current run directory that match extensions in ignore_file_ext find will throw an error:

cat /usr/local/maldetect/ignore_file_ext

.txt

Commands:

# cd $(mktemp -d)
# touch test{1..2}.txt
# maldet -a ./

Maldet returns:

Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(855266): {scan} signatures loaded: 11866 (9965 MD5 / 1901 HEX)
maldet(855266): {scan} building file list for ./, this might take awhile...
/bin/find: paths must precede expression: test2.txt
Usage: /bin/find [-H] [-L] [-P] [-Olevel] [-D help|tree|search|stat|rates|opt|exec] [path...] [expression]
maldet(855266): {scan} scan returned zero results, please provide a new path.

The find command being used is:

/usr/bin/find ./ /dev/shm /tmp /var/tmp -maxdepth 15 -type f -size +32c -size -768k ! -iname *.txt | grep -vf /usr/local/maldetect/ignore_paths > /usr/local/maldetect/tmp/.find.12627

cd'ing to a tmp dir might help overcome this?

Clean adds/leaves extra lines in php files when removing base64 strings causing PHP Fatal errors

Running clean on affected php files removes the injected {HEX}gzbase64.inject.unclassed.15 malware, but either inserts or leaves behind extra lines.

This trips up php 5.5.12 with "PHP Fatal error: Namespace declaration statement has to be the very first statement"

Is there a way to tell clean to remove/not add extra empty lines or is this behaviour a bug in maldet --clean?

Pipe contents of file to clamscan

It would be nice if maldet could pipe the contents of files to clamscan instead of using the -f option. Clamscan on Ubuntu by default runs under its own user. So when you scan a file with clamscan like this:

# /usr/bin/clamdscan  --infected --no-summary /home/mysite/public_html/cache/index.html

you get an error: /home/mysite/public_html/cache/index.html: lstat() failed: Permission denied. ERROR

This works:

/usr/bin/clamdscan  --infected --no-summary < /home/mysite/public_html/cache/index.html

Updating sigantures results into exit 1

$ /usr/bin/maldet -u
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(5011): {sigup} performing signature update check...
maldet(5011): {sigup} local signature set is version 201310259491
maldet(5011): {sigup} latest signature set already installed
$ echo $?
1

Init scripts to start monitoring at boot

It would be nice to have proper init scripts included by default to start the inotify monitoring at boot.

For example:
http://cmjscripter.net/files/scripts/maldet-monitor.init.sh

Thanks again!

clean command - target file name not being resolved

Just ran into this:

# maldet --clean 150403-1457.811
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(29339): file path error on /usr/local/maldetect/quarantine/., aborting.

At first glance it looks similar to issue #12. However, I've traced the respective function and it seems that in this case it's different. Some variables used to make up the absolute path of the file that has to be cleaned aren't available to the clean_hitlist function. As a result a dot is appended to the relative path of each file within the quarantine path.

Example:

# maldet --clean 150403-1457.811
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

+ hitlist=/usr/local/maldetect/sess/session.hits.150403-1457.811
+ '[' -f /usr/local/maldetect/sess/session.hits.150403-1457.811 ']'
++ cat /usr/local/maldetect/sess/session.hits.150403-1457.811
++ awk '{print$3}'
+ for file in '`cat $hitlist | awk '\''{print$3}'\''`'
+ '[' -f /data/samba/biz/Thumbs.db ']'
++ cat /usr/local/maldetect/sess/session.hits.150403-1457.811
++ grep /data/samba/biz/Thumbs.db
++ awk '{print$1}'
+ hitname='{CAV}lstat()'
+ echo -e 'DEBUG::: file_name -> '
DEBUG::: file_name -> 
+ echo -e 'DEBUG::: file -> /data/samba/biz/Thumbs.db'
DEBUG::: file -> /data/samba/biz/Thumbs.db
+ echo -e 'DEBUG::: quardir -> /usr/local/maldetect/quarantine'
DEBUG::: quardir -> /usr/local/maldetect/quarantine
+ echo -e 'DEBUG::: hitname -> {CAV}lstat()'
DEBUG::: hitname -> {CAV}lstat()
+ echo -e 'DEBUG::: rnd -> '
DEBUG::: rnd -> 
+ clean /usr/local/maldetect/quarantine/. '{CAV}lstat()' . '' '' '' /data/samba/biz/Thumbs.db
+ set -x
+ file=/usr/local/maldetect/quarantine/.
+ file_signame='{CAV}lstat()'
+ file_owner=.
+ file_chmod=
+ file_size=
+ file_md5=

Lines prefixed with DEBUG::: are generated using "set -x" breaks. The function variables $file_name and $rnd are empty. When calling maldet --clean it calls function clean_hitlist which then calls function clean on each infected file. The problem seems to with function clean_hitlist.

Maldet 1.5 updates to previous version 1.4.2

Hello,

I'm experiencing a problem where Maldet 1.5 updates to the previous version of 1.4.2. It probably checks the main LMD site and sees that the hash check differs between the two versions, so it updates to the 1.4.2 version:

maldet(6069): {update} version check shows latest but hash check failed, forcing update...

I like the new separate customizable "custom.hex.dat" and "custom.md5.dat" features on Maldet 1.5 so I'm trying to stick to this version.

Is there any way around this issue?

Thank you.

Issue with scan_ignore_root default behavior (was: Issue with --scan-recent)

Ignore all this and see the comment below.

This is a command issued by my backup system script. Very little in /etc has changed recently.

/usr/local/maldetect/maldet -b --scan-recent /etc 1

Running the command

find /etc -mtime -1 -type f

Gives 221 results. The previous command, which has been running for a half hour, has now displayed about 350 "."'s which I assume are displayed 1 per file. (This also seems slower per file than it used to be, but I don't have empirical evidence of that)

Edit: an hour into the run I'm at 700. Running the find without the -mtime option shows around 5000 files in /etc

edit2: looking at some other backup reports from other servers it looks like this issue may just happen the first time the new maldet is run on a machine?

Edit 3: still chugging along at about 350 .s per hour. However here are the relevant lines from /usr/local/maldetect/logs/event_log:

Sep 21 09:00:56 vulcan maldet(8323): {scan} launching scan of /etc changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Sep 21 09:00:56 vulcan maldet(8323): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
Sep 21 09:00:56 vulcan maldet(8323): {scan} building file list for /etc of new/modified files from last 1 days, this might take awhile...
Sep 21 09:00:56 vulcan maldet(8323): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Sep 21 09:00:56 vulcan maldet(8323): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /etc /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -768k -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0
Sep 21 09:00:56 vulcan maldet(8323): {scan} scan returned zero results, please increase days range or provide a new path.

So it's saying it actually found nothing to scan (which I do believe is probably correct, the 221 results from above are all graphics files who may meet any of the -size +24c -size -768k -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0 restrictions.

However again, it seems to be scanning the entire directory

Proper cPanel home directory matching

Unless the user is using default cPanel home directories maldet doesn't scan the right areas, the following returns the config from cPanel which stores user homedirs:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::LoadWwwAcctConf ();

$cref = Cpanel::Config::LoadWwwAcctConf::loadwwwacctconf();
my $homematch = ( defined $cref->{'HOMEMATCH'} ? $cref->{'HOMEMATCH'} : ( -d '/home' ? '/home' : '/usr/home' ) );
$homematch =~ s/\*//;
print $homematch;

I integrated this into the cron by checking for the existance of the /usr/local/cpanel directory

        elif [ -d "/usr/local/cpanel" ] && [ -x "/path/to/bin/homematch" ]; then
                #cpanel
                HOMEMATCH=`/path/to/bin/homematch`
                /usr/local/maldetect/maldet -b -r $HOMEMATCH?/?/public_html 2 >> /dev/null 2>&1

Could something like this be implemented?

Eicar not catched by monitor mode?

I've got the monitor mode running on /home, but it won't catch eicar. Pretty much standard config, except send mail is enabled.

root@sigrid2:~/maldetect-1.4.2# maldet -m /home
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9494): {mon} set inotify max_user_instances to 128
maldet(9494): {mon} set inotify max_user_watches to 1689600
maldet(9494): {mon} added /home to inotify monitoring array
maldet(9494): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(9494): {mon} inotify startup successful (pid: 9574)
maldet(9494): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

...

user@sigrid2:~$ wget http://www.eicar.org/download/eicar.com
2014-01-03 10:03:26 (14.8 MB/s) - `eicar.com' saved [68/68]

root@sigrid2:~# cat /usr/local/maldetect/inotify/inotify_log

/home/mattiasb/eicar.com CREATE 03 Jan 10:03:26
/home/mattiasb/eicar.com MODIFY 03 Jan 10:03:26

I then ran --alert-daily, but no output and no mail in mail.log..

/usr/local/maldetect/maldet --alert-daily

Exclude path capability by regex

There is a option to exclude file extensions, but we have an issue where our files are stored on a NetApp Filer, and we need to avoid having find traverse through all the ".snapshot" directories. clamscan itself provides that with --exclude-dir=REGEXP. Perhaps it would make sense to model after that?

User submission does not work

Somehow I cannot submit files. When forcing passive FTP the upload succeeds. See below:

Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(30496): {checkout} uploading 81662.php to ftp.rfxn.com
Connected to rfxn.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 06:15. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
331 User [email protected] OK. Password required
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
Interactive mode on.
250 OK. Current directory is /incoming
Local directory now /
200 TYPE is now 8-bit binary
local: 81662.php remote: ff81bfcadb10607d4d7a8c9bb7a75750.5950.81662.php.bin
200 PORT command successful
425 Could not open data connection to port 47612: Connection timed out
200 TYPE is now ASCII
local: 81662.php remote: ff81bfcadb10607d4d7a8c9bb7a75750.5950.81662.php.ascii
200 PORT command successful
425 Could not open data connection to port 58939: Connection timed out
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

--kill command is not recognized

In maldet 1.5 the long form of the kill command to stop the inotify monitoring service is not recognized:

maldet --kill
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

Permision denied

With the latest version from git you get permision denied errors when try to scan files.

sed: couldn't open temporary file /usr/local/maldetect/sedXwuCmb: Permission denied
also tmp directory and sigs gives perision errors.

Please add ability to use Maldet DB with Clam Daemon

Hello!

I'm execute simple test clamscan vs clamDscan and found extremely big difference between it:

Parallel scan via clamDscan (daemon): 34.176 sec
Single thread scan via clamDscan (daemon): 191.848 sec
Scan via clamscan: 215.018 sec

As you can see difference is fantastic!

Adding maldet databases to ClamAV daemon is very simple:

cp /usr/local/maldetect/sigs/rfxn.hdb /var/lib/clamav
cp /usr/local/maldetect/sigs/rfxn.ndb /var/lib/clamav
/etc/init.d/clamd restart

May be you can add this solution as recommended way for scanning via ClamAV because it many times faster?

Full article: http://bit.ly/Rkm6wU (sorry, it's in russian).

cron.daily maldet scan skips subdomains on Plesk 12

The file /etc/cron.daily/maldet misses the web tree for subdomains on Plesk 12 because now when creating a subdomain the web tree isn't restricted to the /var/www/vhosts/?/subdomains/?/httpdocs directory any more.

Current line that needs fixing:

 # psa
/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs/,/var/www/vhosts/?/subdomains/?/httpdocs/ 1 >> /dev/null 2>&1

For example adding a subdomain for "test" to the domain example.com the web files are here by default:

/var/www/vhosts/example.com/test.example.com

I have included a screenshot of how the new path is preset by default.

--kill-monitor command always returns exit code of 1

Currently in maldet 1.5 the kill command should return an exit code of 0 on success or 1 on error. Currently the kill command will always return an exit code of 1. This makes it hard to determine if an error actually occurred.

Currently:
/usr/local/maldetect/maldet -k
echo $?
1

FreeBSD 9.x not detected

There is no OSTYPE global variable

# env | grep BSD
_system_type=BSD
_system_name=FreeBSD

Logging of malware hits

I'm trying to write some reports based off the maldet logs but have been running into some issues.

If scan_clamscan is set to 1 then malware hit names are not logged to the event log. Would it be possible to normalize the logging so that malware hit names were always logged to the event log?

Malware submission ftp

Is it possible to have the sample submission function work with passive ftp connections in addition to active, as I've had to modify the script to use passive so I can submit samples.

Maldet monitoring not picking up malware

Maldet iNotify Monitoring was unable to detect malicious files in realtime monitoring meanwhile manual scan detected the same files as malicious. But, why isn't the monitoring process picking up the malware? any ideas? Current maldet version I am using is 1.4.2

I setup the scanner to keep tabs on /home/username (all 6) and the monitoring process IS checking files being uploaded, created or modified, but on two occasions now, it has missed infected files being put on the server.
Running maldet -a /home/XXX manually and it picks up the infected files and quarantines them, as the monitoring process is supposed to do.
The log file shows the file being created/modified, but nothing about it picking up the malware.

grep -w 'backup/proxy.php' /usr/local/maldetect/inotify/inotify_log
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php CREATE 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52

Running a manual scan results in:

malware detect scan report for xxxxxxxxxxxx:
SCAN ID: 042715-1505.3285
TIME: Apr 27 15:07:41 +0100
PATH: /home/username/public_html/
TOTAL FILES: 37322
TOTAL HITS: 2
TOTAL CLEANED: 0

FILE HIT LIST:
{CAV}Php.Malware.Mailbot-1 : /home/username/public_html/xxxxxxxx/images/testimonials/css.php => /usr/local/maldetect/quarantine/css.php.8062
{CAV}Php.Malware.Mailbot-1 : /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php => /usr/local/maldetect/quarantine/proxy.php.3538

But, why isn't the monitoring process picking up the malware? any ideas?

Current maldet version I am using is 1.4.2

inotifywait fails on CentOS 6.6 x86_64

The inotifywait that is packaged with LMD 1.4.2 fails on CentOS 6.6. When fixed the daily cron reverts the fix.

After playing around a bit and doing stupid stuff I found this:

# ./inotifywait
sh: ./inotifywait: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

It turns out that this can be fixed by installing a 32bit version of glibc (yum install glibc.i686 worked for me)

hits.alltime only tracking hits if scan_clamscan=1

Feature request to ignore already blocked files.

Hi,

I want to propose a feature addition to ignore scanning for Immutable files as well as files with permissions of 000. I have already edited the code to support files with permissions of 000 but have yet to find an easy way to also ignore immutable files. It's a bit rough still however.

 tmpdir_paths="/dev/shm /tmp /var/tmp"
 if [ "$days" == "all" ]; then
  if [ -z "$setmodsec" ]; then
      eout "{scan} building file list for $spath, this might take awhile..." 1
  fi
    if [ "$immutable" == "1" ]; then
    $find $spath $tmpdir_paths -maxdepth $maxdepth -type f ! -perm 000 -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    else
    $find $spath $tmpdir_paths -maxdepth $maxdepth -type f -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
        fi 
    else
  if [ -z "$setmodsec" ]; then
      eout "{scan} building file list for $spath of new/modified files from last $days days, this might take awhile..." 1
  fi
    if [ $immutable == 1 ]; then  
        $find $spath $tmpdir_paths -maxdepth $maxdepth -type f ! -perm 000 -mtime -$days -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    else
$find $spath $tmpdir_paths -maxdepth $maxdepth -type f -mtime -$days -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    fi 
fi
 if [ ! -f "$find_results" ] || [ -z "$(cat $find_results)" ]; then
  if [ -z "$setmodsec" ]; then
    if [ "$days" == "all" ]; then
     eout "{scan} scan returned zero results, please provide a new path." 1
     exit
    else
     eout "{scan} scan returned zero results, please increase days range or provide a new path." 1
     exit
    fi
  fi
 fi

At the maldet options at the end of the file

    -i|--immutable)
        header
        immutable=1
    ;;

and the usage information

usage maldet [-h|--help] [-l|--log] [-e|--report] [-p|--purge] [-c|--checkout]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-a|--scan-all] [-r|--scan-recent]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-u|--update] [-d|--update-ver] [-i|--immutable]

Scans are stalling - no error

I have tried executing several maldet scans, but none seem to complete when there is a large fileset. There is no error, no crash, it just hangs indefinitely.

root@server [/home]# maldet -a /home/directory
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(31804): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX)
maldet(31804): {scan} building file list for /home/directory, this might take awhile...
maldet(31804): {scan} file list completed, found 38966 files...
maldet(31804): {scan} 3473/38966 files scanned: 7 hits 0 cleaned

I can see the process is still running when I check "Process Manager" in WHM.

Maldet is killing arbitrary system processes

I'm running into an issue where tmp/monitor.pid is not accurate, and when maldet attempts to run monitor_kill(), it actually ends up sending a kill -9 to random system processes that have reused that same PID. I discovered this after months of mysterious sporadic issues on our postgres servers:

maldet's event_log

Feb 02 03:48:32 acme-db10 maldet(15552): {update} checking for available updates...
Feb 02 03:48:32 acme-db10 maldet(15552): {update} hashing install files and checking against server...
Feb 02 03:48:32 acme-db10 maldet(15552): {update} version check shows latest but hash check failed, forcing update...
Feb 02 03:48:33 acme-db10 maldet(15618): {mon} sent kill to monitor service

syslog

Feb  2 03:48:33 acme-db10 postgres[14204]: [5-1] LOG:  server process (PID 20352) was terminated by signal 9: Killed
Feb  2 03:48:33 acme-db10 postgres[14204]: [6-1] LOG:  terminating any other active server processes
Feb  2 03:48:33 acme-db10 postgres[14478]: [5-1] WARNING:  terminating connection because of crash of another server process
Feb  2 03:48:33 acme-db10 postgres[14478]: [5-2] DETAIL:  The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory.

contents of monitor.pid at the time of monitor_kill():

[root@acme-db10 maldetect.bk15617]# cat tmp/monitor.pid
20352

maldet --monitor doesn't recognise file path if newline is missing

With the latest master using monitor with a file path maldet is no longer recognizing a path if it doesn't contain a newline character at the end.
Eg.
maldet --monitor /usr/local/maldetect/monitor_paths

The response
maldet(30196): {mon} no paths specified in /usr/local/maldetect/monitor_paths, aborting.

Contents of /usr/local/maldetect/monitor_paths
/var/www/vhosts

Maldet should recognize a single path even though the newline is missing.

--clean command error

When I try and run the --clean command for any scan id I get this:

maldet --clean 140715-0536.25502
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(26200): file path error on /usr/local/maldetect/quarantine/., aborting.

Cleaning always fail on Cloudlinux (CentOS)

Here's the error I'm getting when trying to clear infected files:

maldet -q 120214-0318.950671
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1048536): {quar} malware quarantined from '/home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif' to '/usr/local/maldetect/quarantine/aaa.gif.332'
maldet(1048536): {clean} restoring /usr/local/maldetect/quarantine/aaa.gif.332 for cleaning attempt
maldet(1048536): {clean} trying to clean /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif with gzbase64.inject.unclassed rule
/usr/local/sbin/maldet: line 374: #!/bin/bash: No such file or directory
maldet(1048536): {clean} rescanning /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif for malware hits
maldet(1048536): {clean} clean failed on /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif and returned to quarantine
maldet(1048536): {quar} malware quarantined from '/home/XXXXX/domains/XXXXX.pl/public_html/images/stories/wawalo.gif' to '/usr/local/maldetect/quarantine/wawalo.gif.22508'

The error "/usr/local/sbin/maldet: line 374: #!/bin/bash: No such file or directory" appears every time maldet tries to clean a file. This also happens on different server with similar configuration. Bash is installed:

$ which bash
/bin/bash

$ uname -a
Linux xxxxxx.pl 2.6.32-531.23.3.lve1.2.66.el6.x86_64 #1 SMP Fri Sep 12 10:57:40 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/issue
CloudLinux Server release 6.6 (Leonid Kizim)
Kernel \r on an \m

Typo in latest commit (the scan.etpl one) : maldet line 914

Line 914 reads tmf=... when it should read tmpf=...

This is breaking the reporting of hits.

Doesn't seem worth me working out how to do a pull request!

Paul.

Warning when running maldet --monitor users

When running maldet --monitor users in maldet 1.5 I see this warning:

/usr/local/maldetect/internals/functions: line 1288: [: : integer expression expected

maldet error from /usr/bin/wc when monitoring files

When I run the command:
/usr/local/sbin/maldet --monitor /usr/local/maldetect/monitor_paths
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7219: No such file or directory
maldet(7219): {mon} added /var/www/vhosts to inotify monitoring array
maldet(7219): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(7219): {mon} inotify startup successful (pid: 7308)
maldet(7219): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

ClamAV failure

It looks like when maldet updated at midnight as part of my daily scan and backup script it broke ClamAV. As this is on my mail server, and amavis uses clamAV to scan for viruses, this is preventing mail from being sent or delivered.

I've tried running freshclam, maldet -d, maldet -u, restarting clamav-daemon, restarting amavis, etc.

When I try to start ClamAV this is what I get:

service clamav-daemon start

Starting ClamAV daemon clamd
LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb
ERROR: Can't open file or directory [fail]

contents of /var/lib/clamav:

drwxr-xr-x 2 clamav clamav 4096 Sep 19 02:15 ./
drwxr-xr-x 59 root root 4096 Aug 26 07:41 ../
-rw-r--r-- 1 clamav clamav 407040 Aug 20 11:45 bytecode.cld
-rw-r--r-- 1 clamav clamav 101435904 Sep 18 13:52 daily.cld
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb
-rw-r--r-- 1 clamav clamav 64720632 Sep 17 2013 main.cvd
-rw------- 1 clamav clamav 1196 Sep 19 02:15 mirrors.dat
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

contents of /usr/local/maldetect/sigs:

ll /usr/local/maldetect/sigs
total 2584
drwxr-xr-x 3 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
drwxr-xr-x 2 root root 4096 Sep 12 2013 appver/
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.hex.dat
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.md5.dat
-rw-r--r-- 1 root root 429904 Sep 18 18:18 hex.dat
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.13092.hdb
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.13092.ndb
-rw-r--r-- 1 root root 14 Sep 19 00:01 maldet.sigs.ver
-rw-r--r-- 1 root root 551001 Sep 18 18:18 md5.dat
-rw-r--r-- 1 root root 602518 Sep 18 18:18 md5v2.dat
-rw-r--r-- 1 root root 598632 Sep 18 18:18 rfxn.hdb
-rw-r--r-- 1 root root 437560 Sep 18 18:18 rfxn.ndb

contents of /usr/local/maldetect/tmp:

ll /usr/local/maldetect/tmp
total 8
drwxr-x--- 2 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.alert.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.clean.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.monitor.alert
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.susp.hits

so as you can see the .runtime.user.13092.* files are missing.

The error I'm getting in my /var/log/mail.log is:

Sep 19 02:08:52 pigeon amavis[4089]: (04089-06) (!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output="LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb\nLibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb\nERROR: Can't open file or directory"

relevant lines from /var/log/clamav/clamav.log:

Fri Sep 18 22:17:23 2015 -> SelfCheck: Database status OK.
Fri Sep 18 23:21:25 2015 -> SelfCheck: Database status OK.
Sat Sep 19 00:01:35 2015 -> Reading databases from /var/lib/clamav
Sat Sep 19 00:01:38 2015 -> ERROR: reload db failed: Can't open file or director
y
Sat Sep 19 00:01:38 2015 -> Terminating because of a fatal error.
Sat Sep 19 00:01:38 2015 -> Pid file removed.
Sat Sep 19 00:01:38 2015 -> --- Stopped at Sat Sep 19 00:01:38 2015
Sat Sep 19 00:01:38 2015 -> Socket file removed.

relevant lines from /usr/local/maldetect/logs/event_log

Sep 19 00:01:31 pigeon maldet(11534): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11534): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11534): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} completed update v1.4.2 => v1.5, running signature updates...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11619): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} update and config import completed.
Sep 19 00:01:31 pigeon maldet(11237): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11237): {sigup} local signature set is version 2015091516329
Sep 19 00:01:31 pigeon maldet(11237): {sigup} new signature set (2015091828029) available
Sep 19 00:01:32 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
Sep 19 00:01:33 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
Sep 19 00:01:34 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
Sep 19 00:01:35 pigeon maldet(11237): {sigup} signature set update completed
Sep 19 00:01:35 pigeon maldet(11237): {sigup} 10822 signatures (8908 MD5 / 1914 HEX)
Sep 19 00:01:36 pigeon maldet(11791): {scan} launching scan of /root changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Sep 19 00:01:36 pigeon maldet(11791): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
Sep 19 00:01:36 pigeon maldet(11791): {scan} building file list for /root of new/modified files from last 1 days, this might take awhile...
Sep 19 00:01:36 pigeon maldet(11791): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Sep 19 00:01:36 pigeon maldet(11791): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /root /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -6947618c -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0
Sep 19 00:01:37 pigeon maldet(11791): {scan} file list completed in 1s, found 69 files...
Sep 19 00:01:37 pigeon maldet(11791): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
Sep 19 00:01:37 pigeon maldet(11791): {scan} scan of /root (69 files) in progress...
Sep 19 00:01:38 pigeon maldet(11791): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

relevant lines from /usr/local/maldetect/logs/clamscan_log:

Sep 19 00:01:37 pigeon clamscan start
Sep 19 00:01:37 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --infected -
-no-summary -f /usr/local/maldetect/tmp/.find.11791
ERROR: Communication error
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.
Sep 19 00:01:42 pigeon clamscan start
Sep 19 00:01:42 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesiz
e=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.12047.hdb -d /usr/local/maldetect/tmp/.runtim
e.user.12047.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.12047
WARNING: Ignoring unsupported option --max-filesize
WARNING: Ignoring unsupported option --max-scansize
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --recursive (-r)
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.

This is a MAJOR issue. for now I have disabled anti-virus checking in amavis like this:

Try this on Debian or Ubuntu:

Add a new file /etc/amavis/conf.d/90-custom

with the following content:

Code:

use strict;

@bypass_virus_checks_maps  = (1);

#------------ Do not modify anything below this line -------------
1;  # insure a defined return

and restart amavisd.

Permission problems with mod_security rules script modsec.sh

Hello!

given that maldet is usually run as a service and root, how is the mod_security script mentioned in the latest Readme supposed to work? If I create a rule like this:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1234567890'"

the script is called correctly but will never run correctly because of the permission issues. What to fix?

sed: couldn't open temporary file /usr/local/maldetect//sed44G0xh: Permission denied
ln: accessing `/usr/local/maldetect/sigs/lmd.user.ndb': Permission denied
ln: accessing `/usr/local/maldetect/sigs/lmd.user.hdb': Permission denied
/usr/local/maldetect/internals/functions: line 1486: /usr/local/maldetect/tmp/.runtime.hexsigs.6306: Permission denied
cp: accessing `/usr/local/maldetect/tmp/.runtime.user.6306.ndb': Permission denied
cp: accessing `/usr/local/maldetect/tmp/.runtime.user.6306.hdb': Permission denied
/usr/bin/wc: /usr/local/maldetect/sigs/hex.dat: Permission denied
/usr/bin/wc: /usr/local/maldetect/sigs/md5v2.dat: Permission denied
cat: /usr/local/maldetect/sigs/md5v2.dat: Permission denied
/usr/bin/wc: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 1126: [: : integer expression expected
/usr/local/maldetect/internals/functions: line 925: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 932: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 933: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 957: /usr/local/maldetect/logs/clamscan_log: Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.user.6306.ndb': Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.user.6306.hdb': Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.hexsigs.6306': Permission denied
[Mon Mar 16 03:03:45 2015] [error] [client X] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20150316-030344-VQY6ALIgmqkAAAJxIH4AAAAH-file-SZ1jzV" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(6306): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "60"] [id "950115"] [msg "Virus found in uploaded file"] [severity "CRITICAL"] [tag "MALICIOUS_SOFTWARE/VIRUS"] [tag "PCI/5.1"] [hostname "acme.com"] [uri "/upload.php"] [unique_id "VQY6ALIgmqkAAAJxIH4AAAAH"]

Maldet ignore files in /var/www/vhosts

Hi,

We have 9 servers with Plesk and on all maldet with the same configurations installed. All servers run under Centos 7 and exactly same configured. On only 2 maldet scan users files under /var/www/vhosts and on other 7 tell us this:

[root@xxx htdocs]# maldet -a /var/www/vhosts
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(16965): {scan} signatures loaded: 10795 (8882 MD5 / 1913 HEX)
maldet(16965): {scan} building file list for /var/www/vhosts, this might take awhile...
maldet(16965): {scan} scan returned zero results, please provide a new path.

There are over 100 domains and I can't believe that maldet can not find anything. We searched through Google but found nothing about that.
Any input or help would be appreciated.

Regards,
Pera

Init script and log rotation for maldet monitoring

Here is my first attempt at an init script to start maldet monitoring at boot (original issue #15 ). The script expects your monitor paths to be defined in the file /usr/local/maldetect/monitor_paths. Customize it as you wish.. contributions welcome!

#!/bin/bash
#
# maldet    Maldet inotify monitoring
#
# chkconfig: 345 70 30
# description: Maldet inotify monitoring
# processname: maldet

# Source function library.
. /etc/init.d/functions

RETVAL=0
prog="maldet"
LOCKFILE=/var/lock/subsys/$prog

start() {
        echo -n "Starting $prog: "
        /usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
        RETVAL=$?
                [ $RETVAL -eq 0 ] && touch $LOCKFILE
                echo
                return $RETVAL
}

stop() {
        echo -n "Shutting down $prog: "
        /usr/local/maldetect/maldet --kill-monitor && success || failure
                RETVAL=$? [ $RETVAL -eq 0 ] && rm -f $LOCKFILE
                echo
                return $RETVAL
}

restart() {
        stop
        start
}

status() {
        echo -n "Checking $prog monitoring status: "
        if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
                        echo "Running"
                else
                        echo "Not running"
                fi
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status
        ;;
    restart)
        restart
        ;;
    condrestart)
        if [ -f $LOCKFILE ]; then
            restart
        fi
        ;;
    *)
        echo "Usage: $prog {start|stop|status|restart|condrestart}"
        exit 1
        ;;
esac
exit $RETVAL

Update: I've added the option condrestart so we can only restart the inotify monitoring if its already running.

maldet 1.4.2 always exits with status 1 (error)

For some reason every time I run maldet, it exits with status 1. I can't even tell that there is anything particularly wrong. There are no "hits" (no malware found). I can fake it, easily enough, but it would be good to know what is failing. I am running this via Jenkins, which watches for exit status (it runs in bash -e)

# maldet -r /tmp
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(25129): {scan} signatures loaded: 13793 (11892 MD5 / 1901 HEX)
maldet(25129): {scan} building file list for /tmp of new/modified files from last 7 days, this might take awhile...
maldet(25129): {scan} file list completed, found 10 files...
maldet(25129): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(25129): {scan} scan of /tmp (10 files) in progress...

maldet(25129): {scan} scan completed on /tmp: files 10, malware hits 0, cleaned hits 0
maldet(25129): {scan} scan report saved, to view run: maldet --report 021715-1819.25129
# echo $?
1

Use a more universal shebang

It would be great if the shebang could be changed from bin/bash to /usr/bin/env bash

freebsd

Hey there.
Got few small problems running LMD on FreeBSD.

which bash
/usr/local/bin/bash
not /bin/bash

$OSTYPE in internals.conf is not equal FreeBSD
should be something like
if [ "$OSTYPE" == "freebsd8.1" ]; then

maldet directory scan number of files is incorrect

Hi,
I'm testing maldet 1.4.2 on a CentOS 6.6 / Plesk 12 server.

Install and set up has all gone fine. I've been doing some testing, by running manual scans on some specific directories, however - I've jsut noticed that the number of files that maldet reports as found in a given directory is always a couple of thousand higher than the actual number of files that are present.

For example:

maldet(28957): {scan} building file list for /var/www/vhosts/xxxx.co.nz/httpdocs/, this might take awhile...
maldet(28957): {scan} file list completed, found 2946 files...
maldet(28957): {scan} 2946/2946 files scanned: 0 hits 0 cleaned
maldet(28957): {scan} scan completed on /var/www/vhosts/xxxx.co.nz/httpdocs/: files 2946, malware hits 0, cleaned hits 0

However, if I go to the directory above and use:

find . -type f | wc -l

I get a result of 17 files -- which is correct.

I've tested on some other directories and the maldet number always seems to be ~2600 higher than the actual.

Any ideas why this might be happening?

I would really appreciate any help, and will be happy to donate to this project once I can get it all working properly.

Thanks.

Restore doesn't recognise legitimate SCANID

As shown below, maldet recognises the first scanid but not the second one:

$ sudo maldet -e list
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

TIME: Mar 18 21:10:12 +0000 | SCAN ID: 031815-1949.3300
TIME: Mar 19 18:47:36 +0000 | SCAN ID: 031915-1847.31789

$ sudo maldet --restore 031815-1949.3300
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

$ sudo maldet --restore 031915-1847.31789
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19216): {restore} invalid file or could not be found

ignore_file_ext and ignore_sigs files not working when scan_clamscan=1

Entries added to either ignore_file_ext or ignore_sigs are not being ignored.

cat /usr/local/maldetect/ignore_file_ext

.txt

cat /usr/local/maldetect/ignore_sigs

{CAV}Eicar-Test-Signature

Command run:

maldet -b --scan-all /var/www/vhosts/?/httpdocs

maldet --report 150107-1249.29105

HOST:      example.com
SCAN ID:   150107-1249.29105
STARTED:   Jan  7 2015 12:49:34 -0700
COMPLETED: Jan  7 2015 12:49:34 -0700
ELAPSED:   0s [find: 0s]

PATH:          /var/www/vhosts/*/httpdocs
TOTAL FILES:   154
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 150107-1249.29105

FILE HIT LIST:
{CAV}Eicar-Test-Signature  :  /var/www/vhosts/example.com/httpdocs/eicar.txt
===============================================
Linux Malware Detect v1.5 < [email protected] >

inotify process not found

I try to run
-maldet -m /var

I got :maldet(19972): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(19972): {mon} no inotify process found, check /usr/local/maldetect/logs/inotify_log for errors.

but log inotify is empty.

I can make
root@web:/var/www-jcarnus/wcc# inotifywait /var
Setting up watches.
Watches established.

False alarm LMD

Hello.
I am a representative of the software 2x2 cms - online store management system (state registration number 2015618097 of the Russian Federation).
On one of the largest hosting LMD is used to monitor virus activity.
The essence of the problem is that when you try to use online store management system 2x2 - LMD determines php.mailer.Mzh in two main core files:
{HEX} php.mailer.Mzh.508: u0101636: /classes/System.php
{HEX} php.mailer.Mzh.508: u0101636: /classes/Sec.php
This processed automatically blocked their work.

It obviously false positive, because these 2 files and use obfuscated links to the global scope variables GLOBALS, variations and other base64_decode php obfuscation techniques that are also used by malicious scripts, too. In reality, these two scripts send mail function is not even used, but their main purpose - monitoring and verification of the license.

This hosting is very popular and because of this false alarms, we have difficulty in working with clients.

For an example, check one of the popular web antivirus virustotal gives one false positive out of 56, which is owned Vietnamese antivirus Bkav, with developers which we are now trying to get in touch.

Where can I send the 2 file for inspection?

Sincerely, Vladimir.

maldet --monitor command writes empty zero file to current/working directory

If I run the maldet --monitor command it creates an empty file named "0" in the current/working directory:

 [test3]# maldet --monitor /usr/local/maldetect/monitor_paths
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19579): {mon} added /var/www/vhosts to inotify monitoring array
maldet(19579): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(19579): {mon} inotify startup successful (pid: 19668)
maldet(19579): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

[test3]# ls -la
total 8
drwxr-xr-x   2 root root 4096 Jan  7 11:00 .
dr-xr-x---. 22 root root 4096 Jan  7 11:00 ..
-rw-r--r--   1 root root    0 Jan  7 11:00 0

Maldet "command not found"

Hello,

I installed yesterday the version 1.5 on one of my servers and all was working fine. Today, when I ran a manual scan, maldet couldn't find a command from "functions" file, as shown below:

root@server [/usr/local/maldetect]# maldet -a /home/user/public_html/
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} signatures loaded: 10749 (8838 MD5 / 1911 HEX / 0 USER)
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} building file list for /home/user/public_html/, this might take awhile...
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} file list completed in 0s, found 206 files...
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan of /home/user/public_html/ (206 files) in progress...
maldet(700416): {scan} 206/206 files scanned: 0 hits 0 cleaned
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan completed on /home/user/public_html/: files 206, malware hits 0, cleaned hits 0, time 8s
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan report saved, to view run: maldet --report 150407-0935.700416

I tried to replace the "functions" file from the original installation but it didn't help.

Please let me know how to fix this or if anyone else is experiencing this issue.

running hookscan as user

/usr/local/maldetect/hookscan.sh index.php

sed: couldn't open temporary file /usr/local/maldetect/sedv8orGk: Permission denied
ln: creating symbolic link /usr/local/maldetect/sigs/lmd.user.ndb': Permission denied ln: creating symbolic link/usr/local/maldetect/sigs/lmd.user.hdb': Permission denied
/usr/local/maldetect/internals/functions: line 1653: /usr/local/maldetect/tmp/.runtime.hexsigs.10932: Permission denied
rm: cannot remove /var/lib/clamav//rfxn.hdb': Permission denied rm: cannot remove/var/lib/clamav//rfxn.ndb': Permission denied
1 maldet: OK

Generate own signatures

Is there an easy way for me to generate my own threat signatures? More than happy to share the signatures I'd generate with the community. Just not sure how to go about this?