Getting and installing a malware scanner in place on your web server is something that needs to be done as a priority, pretty much as soon as the server is set up, if you are on shared hosting then this will probably not be possible as you don’t control what you can install on a global basis but your host provider should provide some type of malware scanner solution. If you are on a VPS or Dedicated Server plan than you certainly are in a position to set up your own solutions.
One of the key malware scanners is Linux Malware Detect and works very nicely scanning any Linux based server against an updated database of known malware exploits in particular from an updated registry maintained by Team Cymru. The Linux Malware Detect tool can also integrate with Clam AV Scanner which can speed up file scanning.
The installation and set up takes place on the command line, SSH in and cd to /root
Get Linux Malware Detect
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Extract It
tar -xvf maldetect-current.tar.gz
Remove the Archive
rm maldetect-current.tar.gz
Move in and Run the Installer
cd maldetect-1.4.2/
./install.sh
… this will download the latest hash registry databases, now to configure
Configure Linux Malware Detect
Using nano…
nano /usr/local/maldetect/conf.maldet
Set up Email Alerts
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=0 # The subject line for email alerts email_subj="maldet alert from $(hostname)" # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr="[email protected]"
Swap the alert toggle to 1, adjust the subject line if desired, add in your email address.
Daily Malware Scans
When installed LMD (Linux Malware Detect) adds a cron job to the daily folder:
/etc/cron.daily/maldet
This cron job will update the malware registry it initially downloaded including any new malware threats and also scan all home directories on the server. If anything is found you will get an email about it telling you the path to the offending file.
Dealing With Malware Files
Once you get a file hit on malware you can open the file and clean the malware code out. Then progress to how it got in in the first place – software patching, updating passwords etc
You can also opt to have LMD quarantine any file it finds – this is done back in the config file under the Email Alert section:
# [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=0 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1
The default is just to alert, but you can opt to remove the file from the filing system and have LMD also try and remove the malware code – then you just need to inspect and restore the file.
Manual Malware Scans
Of course you can also run manual scans at will on all files or selectively:
maldet -a /home/homedir/public_html/
Or all home directories using a wildcard – ?:
maldet -a /home/?/public_html/
Further Options
Check further usage with:
maldet --help
Using ClamAV Binary as Scanner Engine on cPanel/WHM Server
You can use the ClamAV as the scanner engine which speeds up the scanning process, if using cPanel as the server you can install ClamAv in WHM under Manager Plugins – once installed the actual binary is filed under :
/usr/local/cpanel/3rdparty/bin/clamscan
But LMD is looking for it here:
/usr/bin/clamscan
Make a soft link alias:
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan
Now the scan time will be up to 4 times faster (other non-cpanel servers will have the binary in the right place – (well, maybe)