Posted: May 14th, 2016
Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website. It will help you do detect infected websites and clean the infection, however securing the compromised user or website is still necessary to avoid re-infection.
If the server has cPanel , we recommend you install ClamAV first, as maldet will use the ClamAV scan engine. ClamAV installation instructions are available here.
You will need to be logged in as root to the server over SSH.
1) Install maldet
cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh
This will automatically install a cronjob inside /etc/cron.daily/maldet so a daily scan will be run for local cPanel or Plesk accounts.
2) Make sure to update to the latest version and virus signatures:
maldet -d && maldet -u
3) Run the first scan manually
To scan a specific user's home directory, run the following command:
maldet -a /home/user
To launch a background scan for all user's public_html and public_ftp in all home directories, run the following command:
maldet -b --scan-all /home?/?/public_?
(We also recommend you to scan /tmp and /dev/shm/)
4) Verify the scan report
We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.
List all scan reports time and SCANID:
maldet --report list
Show a specific report details :
maldet --report SCANID
Show all scan details from log file:
grep "{scan}" /usr/local/maldetect/event_log
5) Clean the malicious files
By default the quarantine is disabled. You will have to launch it manually.
maldet -q SCANID
6) (optional) Automatically quarantine detected malware
Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable value description
quar_hits number if the number is different than 0, enables automatic quarantine
7) (optional) Configure scan reports e-mail alerts
Maldet can send you and email alert each time it detects malware. Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable value description
email_alert 1 or 0 enable or disable e-mail alerts
email_addr e-mail address target e-mail for notifications, should be put in quotes like: "myuser@mydomain.com"
More information is available: /usr/local/maldetect/conf.maldet or https://www.rfxn.com/projects/linux-malware-detect/