Linux Malware Detect on Debian 6 with ISPConfig 3

Did you see the first post's date and my last post's date?

 

Thanks for the reply, but I'm still confused. I tried doing a straight install with no modification and I get this:

Code:

:~/maldetect-1.4.2# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(27746): {mon} set inotify max_user_instances to 128
maldet(27746): {mon} set inotify max_user_watches to 30720
maldet(27746): {mon} no valid option or invalid file/path provided, aborting.

 

@concept21: who're you talking to? Not getting your comment...

@dayjahone:
- does this file exist? => /usr/local/maldetect/maldetfilelist
- if yes, open it and check the path, do they look ok?
- how about you simply follow the isntallation instructions again, same error?

 

@concept21: /usr/local/maldetect/maldetfilelist exists, but the only thing in it is

I went to that file and see a list of all the clients.

I tried to do a fresh install. When I do the install script now, I get the following error:

Code:

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

install.sh: line 72: .: .ca.def: file not found

I powered through and am not sure if the inotify line should be

or

I left out the $inspath

When I run it, I get the following:

Code:

maldet(11141): {mon} set inotify max_user_instances to 128
maldet(11141): {mon} set inotify max_user_watches to 30720
/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.11141: No such file or directory
maldet(11141): {mon} added /var/www/clients to inotify monitoring array
maldet(11141): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(11141): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

 

It uses its own inotify:
/usr/local/maldetect/inotify/


In my case, maldect v1.4.2 is fully compatible with Ubuntu 10.04 amd64. Here is its daily cron task record, no more modification is needed.

 

Weird, this is the only changelog of this year:

Going to give the original version another try on Debian Wheezy now

###edit###
Just realized the last change was 2013 so not sure why anyone claims things have changed?Can anyone clarify what new version you guys are talking about?

 

When your installation completes, please contact me for donation account number. I need some $ these days.

 

@concept21: I think maldet had its own inotify for some time, when this thread started: 30th August 2012, 10:19 one of the changes that this script introduces is to delete the built-in inotify and set the path to the system inotify:

And what about the other changes for Debian and ISPCFG3 fixes, i.e.

 

If you modify the daily cron maldet script, it will be overwritten everytime Maldet is updated or upgraded.

Instead, you can create a link from /usr/local/apache/htdocs/ to var/www or to any web you like. My maldet daily cron log mentioned above shows it works.

 

@concept21: do you know what I did wrong? I followed all of the instructions in the initial post. Now I get the following:

Code:

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

install.sh: line 72: .: .ca.def: file not found

 

I know this is an old post and I have been using maldet for awhile now but after going through some folder I was surprised to find more than I thought.

Remember that maldet will throw out a lot of false positive and you need to check it manually. There are quite few wordpress scripts out there or addons to work with PNG Base64 for display, resize and misc. That'll throw a false positive. I ended up reversing it what it has found.

A shocker was for me was because scanning /var/www/*/web/ -- I had my ISP3 partial quarantined, files such as: dbispconfig.sql, mlocate.db.

So to avoid the proper way was to use /var/www/clients/* instead of /var/www/?/web/
Hope this sheds some light on this otherwise you can end up with a broken control panel.

 

I would not recommend using automatic quarantining. That feature is way too dangerous because of a lot false positives in general. Just enable email reports and check the hits manually. To be honest, I do not use maldet anymore on most servers. I use some third-party-signatures, some own signatures and then run clamav checks.

 

@Croydon - I had been using it until now, just about to move servers, would you mind sharing your new solution?

 

I have switched to ispprotect.com (an ISPConfig service) so I do not have to care about

 

very nice service, I didn't know they were offering that. Are there any screenshots available anywhere? Do you have a GUI or do you simply install an agent for them and that's it for you?

 

You install an agent on the server that communicates via api.
There's no gui currently, so I have no screenshots, but this is a sample e-mail that is sent:

or

 

very cool, I'm impressed about the 2nd one, that's impressive that they scan for that kind of vulnerability. Curious what the technology behind it is

 

It's just a list maintained by them of important vulnerabilites of widely used plugins and web software.

 

I edited your script in one place and it looks like its still working with maldet 1.5.0:

Code:

sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

change to

Code:

sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals/internals.conf

 

hm, noticed that everytime I run your script, my old config gets reset but there is a /usr/local/maldet.last which is a symlink to an older version so not sure why my config gets reset :-(