Secure your server – Linux Malware Detect (LMD)

Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner’s informed consent.

The context which malware applies to this article is any malicious software, scripts or content that may have found its way onto a Linux system by means of a user account, such as in a shared hosted environment.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 (free, open source) license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature, threats found on the TCH network of over 30,000 hosted domains and from malware community resources.


Download the new version of LMD to the /tmp folder.

[code]cd /tmp

Now extract the .tar.gz file and use the install script that is included with the package:

[code]tar zxvf maldetect-current.tar.gz
cd cd maldetect-*

It will give you an output showing the process and new download of malware definitions. After the installation edit the configuration file to your needs by opening the file with your favorite text-editor:

[code]nano /usr/local/maldetect/conf.maldet[/code]

My sample configuration:

[code]# [ EMAIL ALERTS ]
# The default email alert toggle
# [0 = disabled, 1 = enabled]

# The subject line for email alerts
email_subj="Malware alert – Host: $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.

# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]

# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
# minimum userid that can be suspended

It is wise to do a one-time sweep of the server or webserver directory’s. This command will scan the homefolder for malware:

[code]maldet –scan-all /home[/code]

By default there is a cronjob in place to do a overnight scan. You can change the options in the /etc/cron.daily folder.

More information:

  1. I installed it, but how to check whether it is running, i found no entry in ps aux | grep mal and no cronjob in crontab -l


  2. The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.


Geef een reactie

%d bloggers liken dit: