View Single Post
  #18  
Old 18th January 2013, 23:37
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,257
Thanks: 75
Thanked 22 Times in 18 Posts
Default

Hi there,

I've run this maldet.sh install script and everything seems fine except that when I run:
Code:
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
I get:
Code:
oot@h2118175:~# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <proj@r-fx.org>
            (C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7733): {mon} set inotify max_user_instances to 128
maldet(7733): {mon} set inotify max_user_watches to 46080
/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7733: No such file or directory
maldet(7733): {mon} added /var/www/clients/client2/web1/web to inotify monitoring array
maldet(7733): {mon} ignored invalid path /var/www/clients/*/web*/private
maldet(7733): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(7733): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
So something isn't right here yet.

The log file says:

Code:
root@h2118175:~# cat /usr/local/maldetect/inotify/inotify_log 
/usr/bin/inotifywait: error while loading shared libraries: libinotifytools.so.0: wrong ELF class: ELFCLASS32
Any idea what could be wrong? Running this on Debian Squeeze. Btw. I had installed this before, as per the original from the author and since I couldn't get the monitor to work I had given up. Just wondering why my original config file: /usr/local/maldetect/conf.maldet is still there, shouldn't it have been overwritten by this modified installer script?

Quote:
Originally Posted by Croydon View Post
There is one very important thing when using it with ispconfig.

In file maldet there is a line
users_tot=`cat /etc/passwd | grep -ic home`
this should be changed to
users_tot=`cat /etc/passwd | grep -ic var/www`

Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit!

You should change the content of the maldetfilelist file from
/var/www
to
/var/www/clients/*/web*/web
/var/www/clients/*/web*/private
at least if you use bind mounts or links inside the /var/www paths

I modified the installer script to match this.

/tmp/maldetect.sh
Code:
#!/bin/bash
# debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
# howto taken from howtoforge written by "felan":
# http://www.howtoforge.com/forums/showthread.php?p=284504
#

CURDIR=`pwd`
PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
ofile=\$tmpdir/.lmdup_vercheck.\$\$\
tmp_inspath=/usr/local/lmd_update\
rm -rf \$tmp_inspath\
rm -f \$ofile\
\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
\
eout "\{update\} checking for available updates..." 1\
\
\$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
                '"$PROG"'\
        fi\
else\
    echo "no update file found. try again later"\
    exit\
fi\
\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
\
exit;\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/libinotifytools.so.0

./install.sh

rm -r /tmp/maldetect-*

echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist
echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist

cd $CURDIR

echo "If you want to run the monitor at boot, we need to add some paths."
echo ""
echo "vi /etc/rc.local"
echo ""
echo "Insert"
echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "
Reply With Quote