Linux Malware Detect on Debian 6 with ISPConfig 3

[felan]

I just added this system to two production servers and felt like sharing this with the rest of you. THe system is pretty good at detecting malware in websites. Hope you will all enjoy it.
-----
To install maldet

1. Install

First we need to install inotify-tools

apt-get install inotify-tools

Now we are ready to install maldetect. Run the following commands.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh


2. Configuring your system.

First we need to modify the main script to work with Debian.

Edit
vi /usr/local/maldetect/maldet

Replace the line that starts with $nice in the main maldet script with the following:
$nice -n $inotify_nice $inotify -r --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" –format "%w%f %e %T" -m -e create,move,modify >> $inotify_log 2>&1 &

Close and save.

Edit
vi /usr/local/maldetect/internals.conf

Find inotify= and change the value to /usr/bin/inotifywait

Next delete inotifywait and libinotifytools.so.0

rm -rf /usr/local/maldetect/inotify/inotifywait
rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

Next step is to make sure that the cronjob works as it should.

vi /etc/cron.daily/maldet

Comment out
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

This prevents it from upgrading itself. If it does, all the changes we've just made, will disapear. It is better to upgrade manually until we get proper debian support in the package.

Next comment out
/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

Add this beneath instead.
# Instead use ISPConfig 3 path var/www
/usr/local/maldetect/maldet -b -r /var/www

Comment out these lines as well, as they are not needed.
if [ -d "/var/www/html" ]; then
/usr/local/maldetect/maldet -b -r /var/www/html 2
fi
if [ -d "/usr/local/apache/htdocs" ]; then
/usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
fi

Save and quit.

If you want to run maldetect as a monitor, type
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

If you want to run the monitor at boot, we need to add some paths.
Now to add some paths to scan and monitor.

vi /usr/local/maldetect/maldetfilelist

Insert
/var/www/clients

Edit /etc/rc.local
vi /etc/rc.local

Insert
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

[Croydon]

Thanks for this howto.

I would suggest some changes, though.

Instead of changing the cron line I would simply add the following below the psa check

Code:

elif [ -d "/usr/local/ispconfig" ]; then
# ispconfig
/usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1

Before you call the install.sh of the maldet software remove the following line from it:
cp $inspath/inotify/libinotifytools.so.0 /usr/lib/
It should not work anyway copying this file as a symlink with this name exists, but who knows... The line exists 2 times in the script.

[Croydon]

I have written a shell script to take care of most of those things - you can even leave the autoupdate in place I think, because the maldet file is modified.
Just take care that the shell script stays at the same place as it was on first call as it is called during update of maldet.

Code:

#!/bin/bash
# debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
# howto taken from howtoforge written by "felan":
# http://www.howtoforge.com/forums/showthread.php?p=284504
#

CURDIR=`pwd`
PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
ofile=\$tmpdir/.lmdup_vercheck.\$\$\
tmp_inspath=/usr/local/lmd_update\
rm -rf \$tmp_inspath\
rm -f \$ofile\
\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
\
eout "\{update\} checking for available updates..." 1\
\
\$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
                '"$PROG"'\
        fi\
else\
    echo "no update file found. try again later"\
    exit\
fi\
\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
\
exit;\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/libinotifytools.so.0

./install.sh

rm -r /tmp/maldetect-*

cd $CURDIR

Then just continue with this part of felans howto:

Quote:

If you want to run maldetect as a monitor, type
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

If you want to run the monitor at boot, we need to add some paths.
Now to add some paths to scan and monitor.

vi /usr/local/maldetect/maldetfilelist

Insert
/var/www/clients

Edit /etc/rc.local
vi /etc/rc.local

Insert
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

[felan]

That is a pretty nice script, Corydon. Thanks!

[concept21]

Hi,
If I also run clamav, do it need to install this Malware Detect??

[felan]

Hiya concept21.

If you have a lot of CMS sites and do not have time to check them all on a very regular basis, I would recommend it, since it catches PHP code that is injected in to the sites. This is not caught by most virus scanners.

[concept21]

Hi Friends,
Do you think whether your scripts will work on Ubuntu 10.04 64 bit OS or not? I am very interested in it.

[felan]

Without having tested it, I'd say it should.

[Croydon]

There is one very important thing when using it with ispconfig.

In file maldet there is a line
users_tot=`cat /etc/passwd | grep -ic home`
this should be changed to
users_tot=`cat /etc/passwd | grep -ic var/www`

Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit!

You should change the content of the maldetfilelist file from
/var/www
to
/var/www/clients/*/web*/web
/var/www/clients/*/web*/private
at least if you use bind mounts or links inside the /var/www paths

I modified the installer script to match this.

/tmp/maldetect.sh

Code:

#!/bin/bash
# debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
# howto taken from howtoforge written by "felan":
# http://www.howtoforge.com/forums/showthread.php?p=284504
#

CURDIR=`pwd`
PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
ofile=\$tmpdir/.lmdup_vercheck.\$\$\
tmp_inspath=/usr/local/lmd_update\
rm -rf \$tmp_inspath\
rm -f \$ofile\
\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
\
eout "\{update\} checking for available updates..." 1\
\
\$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
                '"$PROG"'\
        fi\
else\
    echo "no update file found. try again later"\
    exit\
fi\
\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
\
exit;\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/libinotifytools.so.0

./install.sh

rm -r /tmp/maldetect-*

echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist
echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist

cd $CURDIR

echo "If you want to run the monitor at boot, we need to add some paths."
echo ""
echo "vi /etc/rc.local"
echo ""
echo "Insert"
echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "

[felan]

Nice thanks, though now I get a whole lot of /usr/local/maldetect/maldet: line 213: ed: command not found when it adds a path to the array...