ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Need Web Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. From £1.60 / month.

View Plans

How to detect and clean malware from your Linux server using Maldet

What is Malware?

Malware is the short form of Malicious Software. Any software that is introduced into your system/server with the malicious intent of disrupting the smooth operation of your server, to collect sensitive private information or to gain access to your system is malware.

How can you recognize the presence of malware?

You may or may not recognize that there is a malware attack on your system for a long time. Sometimes, your readers may report a warning from an anti-virus software like this.

Sometimes, Google Webmasters or Bing Webmasters will report it.

Either way, when you are alerted of malware, the first step would be to secure your system. Cleaning up may be futile if your system is not secure. So, secure first. Take backups of your files and databases. Change all passwords and then go on to cleaning the system of malware.

Most importantly, you need not wait to react after a malware attack. You can set up malware scanning as a regular check proactively so as to be able to catch them as soon as possible.

Linux Malware Detect (LMD)

Linux Malware Detect (LMD), popularly known as Maldet is an open-source malware scanner for Linux released under the GNU GPLv2 license. It is designed around the threats faced in shared hosted environments. Install, configure and run this free software to detect and clean malware on your system.

Install maldet and configure

Installation

Login as root or an account with root permissions into your server.

The source code of the current stable version of LMD or maldet is available as a tar ball at this link. Download it.

    sudo wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Unpack the tar ball.

    sudo tar -xvf maldetect-current.tar.gz

After this, list the files to see the directory in which it is installed. The directory is usually of the format maldetect-x.y.z where x.y.z is the version number. Change to this directory.

    cd maldetect-1.5

Check if the install.sh script is there and run it.

    sudo ./install.sh

The installation is complete.

Configuration

For configuring maldet, the configuration file at /usr/local/maldetect/conf.maldet has to be edited.

Open it with a text editor.

The following are some of the common options that you may want to set.

If you want to be alerted of the presence of malware by mail, set the following options.

  • email_alert : If you want to get email alerts whenever a suspicious file is detected, then it should be set to 1.
  • email_addr : The email address to which alerts should be sent. This is used in conjunction with the email_alert option.
  • email_ignore_clean : When malware alerts have been automatically cleaned (check the next two options), ignore sending email alerts. This is disabled by default. Set it to 1 to enable it, if you have set up an automated daily scan that detects and cleans the hits and you do not want to be alerted of these by mail.

What action should be taken on the affected files? The following options can be set to quarantine (to move the affected files to a secure location where they cannot produce any harm) the files.

  • quarantine_hits : The default value is 0. Set this to 1 so that the affected files will be moved to quarantine.
  • quarantine_clean : The default value is 0. This is used when quarantine_hits is set to 1. Do you want the system to further clean the files? Set this to 1 if you want the system to try to clean the malware injections. Keep this as zero if you want to inspect before cleaning.

In a multi-user environment, the following options may be useful.

  • quarantine_suspend_user : By default, this is disabled and set to 0. If you set this to 1, the accounts of users who have hits will be suspended. For this to work, quarantine_hits should be 1.
  • quarantine_suspend_user_minuid : The minimum user id which can be suspended. This is set to 500 by default.
  • inotify_minuid : The minimum user id above which users need to be monitored. The default value is 500 (more details here).
  • inotify_docroot : The web directory relative to the home directory of users. By default, it is set to public_html. If this is set, only this web directory will be monitored.

Save and close the configuration file.

Scanning and its options

A basic scan

For a basic scan, run maldet with the --scan-all option with a path as an argument. It first builds a list of files in all the directories and sub-directories in that path. Then it scans through all the files and gives the number of hits. It also gives a report which you can view to inspect the files that are suspicious. Make sure that you give the full path and not the relative path.

    sudo maldet --scan-all /home/username/public_html/

A note of caution, though. The setting scan_ignore_root in the configuration file is set to 1 by default. This causes files that are owned by root to be ignored in the file list that maldet builds. The default value is more efficient, but the assumption is that your root password has not been compromised and malware are not injected into root-owned files. Change this setting to 0 if you want root-owned files also to be scanned. This might slow down the scan. So, use it judiciously.

You can view the files that are affected by opening the report file mentioned.

Quarantine affected files

When quarantine_hits is set to 1, maldet not only scans for malware, but also moves the hits to a quarantine so that your users do not have access to these files. So, your malware scan may produce results as below. In this case, quarantine_clean is set to 0.

If you view the report, you can see the affected files and their quarantine location. You can inspect the files and then decide on whether you want to clean them.

If you performed a scan with the quarantine_hits set to 0, you need not set it to 1 and redo the scan (as shown above). Instead, you could quarantine all malware results from the previous scan with

sudo maldet –quarantine SCANID

Quarantine and clean affected files

When quarantine_clean is set to 1, in addition to moving the affected files to quarantine, maldet also tries to clean them.

If you did a scan with the quarantine_hits or quarantine_clean set to 0, you can do a clean with the following option.

    sudo maldet –clean SCANID

Restore a file

If you want to restore a file which was wrongly tagged as a malicious and quarantined, or if you have manually cleaned the file and want it back in its proper location,

    sudo maldet –restore FILENAME

Alternately, give the complete path of the quarantined file.

    sudo maldet –restore /usr/local/maldetect/quarantine/FILENAME

Wildcard scan

You can also use wildcards in your scan path. ? is the wildcard character.

    sudo maldet --scan-all /home/?/public_html/

This would check all directories inside /home and if any of them had a public_html sub-directory, then that directory will be scanned completely.

Recent scan

If you want to scan the same path as a previous scan, but only those files created or modified in the recent past, you have to run maldet with the --scan-recent option and the number of days n

    sudo maldet --scan-recent /home/username/public_html/ 7

A weekly incremental check can be done by doing such a recent scan for 7 days.

Automate periodic scan

You can automate daily scans using the cronjob feature. During installation, LMD installs a cronjob at /etc/cron.daily/maldet.

This cronjob (an automated job that runs periodically) will update signatures, include new malware threats in its registry and perform a daily scan of all the home directories and recent changes on the server. Whenever, it detects some malware, it will notify you at the mail address specified in the configuration.

Monitor mode

The inotify monitor can be used to monitor users real-time for file creation, modification or movement. Monitoring can be done with one or more of the three options available,

Monitor users

The users option will take the home directories of all users in the system who have uid greater than inotify_minuid and monitor them. If inotify_docroot is set, the users' web directory, if it exists, will only be monitored.

    sudo maldet --monitor users

Monitor paths

Alternately, you can monitor paths. Give a comma separated list of paths with the --monitor option.

    sudo maldet --monitor PATH1,PATH2,...PATHN

For example,

    sudo maldet --monitor /tmp,/home,/var

Monitor files

If you have concerns about specific files, you can monitor specific files by giving a comma-separated list of files.

    sudo maldet --monitor FILE1,FILE2,...FILEN

Exclude files or paths

Certain paths or files can be excluded from scan, by using the ignore files.

Add files or paths to be excluded (one per line) from daily scan in /usr/local/maldetect/ignore_paths

Add signatures to be excluded (one per line) from daily scan in /usr/local/maldetect/ignore_sigs

Add files or paths to be excluded from inotify monitoring (one per line) in /usr/local/maldetect/ignore_inotify.

Add the extensions of file types that you want to exclude from daily scans (one per line) in /usr/local/maldetect/ignore_file_ext. Sample entries in file could be

    .png
    .jpg

Check out more options like running maldet in the background and other finer settings by using the help option.

    sudo maldet --help

If you run a self-hosted website, at some point or the other, it is possible for malicious hackers to inject malware into your system. Before that happens, get your system secure and install maldet to keep ahead of such attacks.

(For the purpose of this tutorial, Ubuntu version 14.04 and maldet version 1.5 were used)

Need Web Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. From £1.60 / month.

View Plans