I just added this system to two production servers and felt like sharing this with the rest of you. THe system is pretty good at detecting malware in websites. Hope you will all enjoy it. ----- To install maldet 1. Install First we need to install inotify-tools apt-get install inotify-tools Now we are ready to install maldetect. Run the following commands. wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzvf maldetect-current.tar.gz cd maldetect-* sh install.sh 2. Configuring your system. First we need to modify the main script to work with Debian. Edit vi /usr/local/maldetect/maldet Replace the line that starts with $nice in the main maldet script with the following: $nice -n $inotify_nice $inotify -r --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" –format "%w%f %e %T" -m -e create,move,modify >> $inotify_log 2>&1 & Close and save. Edit vi /usr/local/maldetect/internals.conf Find inotify= and change the value to /usr/bin/inotifywait Next delete inotifywait and libinotifytools.so.0 rm -rf /usr/local/maldetect/inotify/inotifywait rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0 Next step is to make sure that the cronjob works as it should. vi /etc/cron.daily/maldet Comment out /usr/local/maldetect/maldet -d >> /dev/null 2>&1 This prevents it from upgrading itself. If it does, all the changes we've just made, will disapear. It is better to upgrade manually until we get proper debian support in the package. Next comment out /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1 Add this beneath instead. # Instead use ISPConfig 3 path var/www /usr/local/maldetect/maldet -b -r /var/www Comment out these lines as well, as they are not needed. if [ -d "/var/www/html" ]; then /usr/local/maldetect/maldet -b -r /var/www/html 2 fi if [ -d "/usr/local/apache/htdocs" ]; then /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2 fi Save and quit. If you want to run maldetect as a monitor, type /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist If you want to run the monitor at boot, we need to add some paths. Now to add some paths to scan and monitor. vi /usr/local/maldetect/maldetfilelist Insert /var/www/clients Edit /etc/rc.local vi /etc/rc.local Insert /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Thanks for this howto. I would suggest some changes, though. Instead of changing the cron line I would simply add the following below the psa check Code: elif [ -d "/usr/local/ispconfig" ]; then # ispconfig /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1 Before you call the install.sh of the maldet software remove the following line from it: cp $inspath/inotify/libinotifytools.so.0 /usr/lib/ It should not work anyway copying this file as a symlink with this name exists, but who knows... The line exists 2 times in the script.
I have written a shell script to take care of most of those things - you can even leave the autoupdate in place I think, because the maldet file is modified. Just take care that the shell script stays at the same place as it was on first call as it is called during update of maldet. Code: #!/bin/bash # debian-specific installation script by M. Cramer <[email protected]> # howto taken from howtoforge written by "felan": # http://www.howtoforge.com/forums/showthread.php?p=284504 # CURDIR=`pwd` PROG=`readlink -f $0` echo "Installing prerequisites..." apt-get -y -q install inotify-tools sed echo "Fetching latest version of maldetect..." cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzf maldetect-current.tar.gz cd maldetect-* echo "Modifying install script..." sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh; echo "Modifying cron job..." sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\ elif [ -d "/usr/local/ispconfig" ]; then\ # ispconfig\ /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily; echo "Modifying maldet script..." sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet; sed -r -i '/lmdup\(\) \{.*$/ a\ ofile=\$tmpdir/.lmdup_vercheck.\$\$\ tmp_inspath=/usr/local/lmd_update\ rm -rf \$tmp_inspath\ rm -f \$ofile\ \ mkdir -p \$tmp_inspath\ chmod 750 \$tmp_inspath\ \ eout "\{update\} checking for available updates..." 1\ \ \$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\ if \[ -s "\$ofile" \]; then\ installed_ver=`echo \$ver | tr -d "."`\ current_ver=`cat \$ofile | tr -d "."`\ current_hver=`cat \$ofile`\ if \[ "\$current_ver" -gt "\$installed_ver" \]; then\ eout "\{update\} new version \$current_hver found, updating..." 1\ '"$PROG"'\ fi\ else\ echo "no update file found. try again later"\ exit\ fi\ \ rm -rf \$tmp_inspath \$ofile \$ofile_has\ \ exit;\ # skip all the rest\ ' files/maldet; echo "Modifying config..." sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf echo "Deleting unneccessary files..." rm -f files/inotify/inotifywait rm -f files/inotify/libinotifytools.so.0 ./install.sh rm -r /tmp/maldetect-* cd $CURDIR Then just continue with this part of felans howto:
Hiya concept21. If you have a lot of CMS sites and do not have time to check them all on a very regular basis, I would recommend it, since it catches PHP code that is injected in to the sites. This is not caught by most virus scanners.
Hi Friends, Do you think whether your scripts will work on Ubuntu 10.04 64 bit OS or not? I am very interested in it.
There is one very important thing when using it with ispconfig. In file maldet there is a line users_tot=`cat /etc/passwd | grep -ic home` this should be changed to users_tot=`cat /etc/passwd | grep -ic var/www` Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit! You should change the content of the maldetfilelist file from /var/www to /var/www/clients/*/web*/web /var/www/clients/*/web*/private at least if you use bind mounts or links inside the /var/www paths I modified the installer script to match this. /tmp/maldetect.sh Code: #!/bin/bash # debian-specific installation script by M. Cramer <[email protected]> # howto taken from howtoforge written by "felan": # http://www.howtoforge.com/forums/showthread.php?p=284504 # CURDIR=`pwd` PROG=`readlink -f $0` echo "Installing prerequisites..." apt-get -y -q install inotify-tools sed echo "Fetching latest version of maldetect..." cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzf maldetect-current.tar.gz cd maldetect-* echo "Modifying install script..." sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh; echo "Modifying cron job..." sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\ elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\ # ispconfig\ /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily; echo "Modifying maldet script..." sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet; sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet; sed -r -i '/lmdup\(\) \{.*$/ a\ ofile=\$tmpdir/.lmdup_vercheck.\$\$\ tmp_inspath=/usr/local/lmd_update\ rm -rf \$tmp_inspath\ rm -f \$ofile\ \ mkdir -p \$tmp_inspath\ chmod 750 \$tmp_inspath\ \ eout "\{update\} checking for available updates..." 1\ \ \$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\ if \[ -s "\$ofile" \]; then\ installed_ver=`echo \$ver | tr -d "."`\ current_ver=`cat \$ofile | tr -d "."`\ current_hver=`cat \$ofile`\ if \[ "\$current_ver" -gt "\$installed_ver" \]; then\ eout "\{update\} new version \$current_hver found, updating..." 1\ '"$PROG"'\ fi\ else\ echo "no update file found. try again later"\ exit\ fi\ \ rm -rf \$tmp_inspath \$ofile \$ofile_has\ \ exit;\ # skip all the rest\ ' files/maldet; echo "Modifying config..." sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf echo "Deleting unneccessary files..." rm -f files/inotify/inotifywait rm -f files/inotify/libinotifytools.so.0 ./install.sh rm -r /tmp/maldetect-* echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist cd $CURDIR echo "If you want to run the monitor at boot, we need to add some paths." echo "" echo "vi /etc/rc.local" echo "" echo "Insert" echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "
Nice thanks, though now I get a whole lot of /usr/local/maldetect/maldet: line 213: ed: command not found when it adds a path to the array...
I would say yes. Rootkit hunter checks your system for rootkits, where maldet checks websites for PHP based malware.
HI, I have got this error in /usr/local/maldetect/inotify/inotify_log. How to correct it?? My OS is Ubuntu 10.04 64 bit. Thanks. The '--filename' option no longer exists. The option it enabled in earlier versions of inotifywait is now turned on by default.
Hi there, I've run this maldet.sh install script and everything seems fine except that when I run: Code: /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist I get: Code: oot@h2118175:~# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks <[email protected]> (C) 2011, Ryan MacDonald <[email protected]> inotifywait (C) 2007, Rohan McGovern <[email protected]> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(7733): {mon} set inotify max_user_instances to 128 maldet(7733): {mon} set inotify max_user_watches to 46080 [COLOR="Red"]/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7733: No such file or directory [/COLOR]maldet(7733): {mon} added /var/www/clients/client2/web1/web to inotify monitoring array [COLOR="red"]maldet(7733): {mon} ignored invalid path /var/www/clients/*/web*/private[/COLOR] maldet(7733): {mon} starting inotify process on 1 paths, this might take awhile... [COLOR="red"]maldet(7733): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.[/COLOR] So something isn't right here yet. The log file says: Code: root@h2118175:~# cat /usr/local/maldetect/inotify/inotify_log /usr/bin/inotifywait: error while loading shared libraries: libinotifytools.so.0: wrong ELF class: ELFCLASS32 Any idea what could be wrong? Running this on Debian Squeeze. Btw. I had installed this before, as per the original from the author and since I couldn't get the monitor to work I had given up. Just wondering why my original config file: /usr/local/maldetect/conf.maldet is still there, shouldn't it have been overwritten by this modified installer script?
