View Single Post
Old 19th January 2013, 00:37
Ovidiu Ovidiu is offline
Senior Member
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts

Hi there,

I've run this install script and everything seems fine except that when I run:
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
I get:
oot@h2118175:~# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <>
            (C) 2011, Ryan MacDonald <>
inotifywait (C) 2007, Rohan McGovern <>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7733): {mon} set inotify max_user_instances to 128
maldet(7733): {mon} set inotify max_user_watches to 46080
/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7733: No such file or directory
maldet(7733): {mon} added /var/www/clients/client2/web1/web to inotify monitoring array
maldet(7733): {mon} ignored invalid path /var/www/clients/*/web*/private
maldet(7733): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(7733): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
So something isn't right here yet.

The log file says:

root@h2118175:~# cat /usr/local/maldetect/inotify/inotify_log 
/usr/bin/inotifywait: error while loading shared libraries: wrong ELF class: ELFCLASS32
Any idea what could be wrong? Running this on Debian Squeeze. Btw. I had installed this before, as per the original from the author and since I couldn't get the monitor to work I had given up. Just wondering why my original config file: /usr/local/maldetect/conf.maldet is still there, shouldn't it have been overwritten by this modified installer script?

Originally Posted by Croydon View Post
There is one very important thing when using it with ispconfig.

In file maldet there is a line
users_tot=`cat /etc/passwd | grep -ic home`
this should be changed to
users_tot=`cat /etc/passwd | grep -ic var/www`

Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit!

You should change the content of the maldetfilelist file from
at least if you use bind mounts or links inside the /var/www paths

I modified the installer script to match this.

# debian-specific installation script by M. Cramer <>
# howto taken from howtoforge written by "felan":

PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/\.0[ ]+\/usr\/lib\/.*)$/#\1/g';

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
rm -rf \$tmp_inspath\
rm -f \$ofile\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
eout "\{update\} checking for available updates..." 1\
\$wget --referer="\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
    echo "no update file found. try again later"\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/


rm -r /tmp/maldetect-*

echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist
echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist


echo "If you want to run the monitor at boot, we need to add some paths."
echo ""
echo "vi /etc/rc.local"
echo ""
echo "Insert"
echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "
Reply With Quote