Linux Malware Detect is a malware detector and scanner for GNU/Linux, designed particularly for shared hosting environments. It is released under the GNU GPLv2 license, and it supports installation on cPanel WHM and GNU/Linux environments concurrently with other detection softwares like ClamAV.
This one is an open source antivirus solution to detect trojans, malware, viruses and other malicious software that supports multiple platforms, including Windows, MacOS, and GNU/Linux.
This tutorials explains how to install LMD and Clam Antivirus on a CentOS 7 server.
Getting started – EPEL repository and Mailx
First of all, install the EPEL repository and
. The last one is a mail processing system, based on Berkeley Mail 8.1, and provides enhanced features for interactive use, such as caching and disconnected operation for IMAP, message threading, scoring, and filtering. It is also usable as a mail batch language, both for sending and receiving mail.
First, install EPEL:
# yum install epel-release
and then Mailx:
# yum install mailx
In this scenario, Mailx will be used by LMD for sending scan reports to your email address.
The package is not available in CentOS or EPEL, so a manual installation is required.
Download LMD and extract it:
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -xzvf maldetect-current.tar.gz
As root, run the installer script
present in extracted directory:
# cd maldetect-x.x # ./install.sh
Next, make a link to the maldet command in
# ln -s /usr/local/maldetect/maldet /bin/maldet
# hash -r
LMD has been installed into
. In that directory, there is a configuration file – we’re going to modify it:
# $EDITOR /usr/local/maldetect/conf.maldet
Enable email alerts by changing the value to 1 on line 16.
Then, search for the email address line, and modify it as follow:
email_addr="[email protected]" ClamAV clamscan binary will be used as default scan engine; that's because it provides a high-performance scan on large file sets. To allow this, search and edit following line:
Next, it’s possible to enable quarantining to move malware to the quarantine during the scan process. To do this, change the following line:
Next, enable clean based malware injections by changing:
That’s all for LMD configuration.
Now that LMD is correctly installed and configured, let’s install Clam AntiVirus to get the best scanning results. ClamAV is available in the EPEL repository.
So, using yum:
#yum install clamav clamav-devel
After ClamAV has been installed, update the ClamAV virus databases with
Testing LMD and ClamAV
Now it’s possible to test LMD with a manual scan. To accomplish this task, execute
. With this command, scan
In the web root directory, download some sample malware with wget:
# cd /var/www/html # wget http://www.eicar.org/download/eicar.com.txt # wget http://www.eicar.org/download/eicar_com.zip # wget http://www.eicar.org/download/eicarcom2.zip
Next, it’s possible to scan the web root directory, as previously said, with
# maldet -a /var/www/html
During this process, it’s possible to see that LMD is using the ClamAV scanner engine to perform the scan: it will find three malware hits.
Check the report with the following command:
# maldet --report SCANID
SCANID is a numerical value found in the Maldet output.
Next, verify that there is an email containing the report:
# tail -f /var/mail/root
If everything was well configured, that email should contain all the required information.
It’s also possible to acquire a list of all reports:
# maldet -e list
Or “filter” files to scan. For instance, to scan files modified in the last 10 days:
# maldet -r /var/www/html 10
For more information, just call the help with:
# maldet --help
that contains all options recognized by LMD.
There you go! That’s one great way to protect from web server infections on a GNU/Linux system.