Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th August 2012, 09:19
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 10 Times in 5 Posts
Default Linux Malware Detect on Debian 6 with ISPConfig 3

I just added this system to two production servers and felt like sharing this with the rest of you. THe system is pretty good at detecting malware in websites. Hope you will all enjoy it.
-----
To install maldet

1. Install

First we need to install inotify-tools

apt-get install inotify-tools

Now we are ready to install maldetect. Run the following commands.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh


2. Configuring your system.

First we need to modify the main script to work with Debian.

Edit
vi /usr/local/maldetect/maldet

Replace the line that starts with $nice in the main maldet script with the following:
$nice -n $inotify_nice $inotify -r --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" –format "%w%f %e %T" -m -e create,move,modify >> $inotify_log 2>&1 &

Close and save.

Edit
vi /usr/local/maldetect/internals.conf

Find inotify= and change the value to /usr/bin/inotifywait

Next delete inotifywait and libinotifytools.so.0

rm -rf /usr/local/maldetect/inotify/inotifywait
rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

Next step is to make sure that the cronjob works as it should.

vi /etc/cron.daily/maldet

Comment out
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

This prevents it from upgrading itself. If it does, all the changes we've just made, will disapear. It is better to upgrade manually until we get proper debian support in the package.

Next comment out
/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

Add this beneath instead.
# Instead use ISPConfig 3 path var/www
/usr/local/maldetect/maldet -b -r /var/www

Comment out these lines as well, as they are not needed.
if [ -d "/var/www/html" ]; then
/usr/local/maldetect/maldet -b -r /var/www/html 2
fi
if [ -d "/usr/local/apache/htdocs" ]; then
/usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
fi

Save and quit.

If you want to run maldetect as a monitor, type
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

If you want to run the monitor at boot, we need to add some paths.
Now to add some paths to scan and monitor.

vi /usr/local/maldetect/maldetfilelist

Insert
/var/www/clients

Edit /etc/rc.local
vi /etc/rc.local

Insert
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Reply With Quote
The Following 6 Users Say Thank You to felan For This Useful Post:
Croydon (30th August 2012), falko (31st August 2012), Ovidiu (18th January 2013), Petr (4th September 2012), pititis (10th September 2012), till (9th September 2012)
Sponsored Links
  #2  
Old 30th August 2012, 10:58
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 932
Thanks: 16
Thanked 262 Times in 208 Posts
Default

Thanks for this howto.

I would suggest some changes, though.

Instead of changing the cron line I would simply add the following below the psa check
Code:
elif [ -d "/usr/local/ispconfig" ]; then
# ispconfig
/usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1
Before you call the install.sh of the maldet software remove the following line from it:
cp $inspath/inotify/libinotifytools.so.0 /usr/lib/
It should not work anyway copying this file as a symlink with this name exists, but who knows... The line exists 2 times in the script.
__________________
Marius Cramer

pixcept KG
Reply With Quote
  #3  
Old 30th August 2012, 12:15
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 932
Thanks: 16
Thanked 262 Times in 208 Posts
Default

I have written a shell script to take care of most of those things - you can even leave the autoupdate in place I think, because the maldet file is modified.
Just take care that the shell script stays at the same place as it was on first call as it is called during update of maldet.

Code:
#!/bin/bash
# debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
# howto taken from howtoforge written by "felan":
# http://www.howtoforge.com/forums/showthread.php?p=284504
#

CURDIR=`pwd`
PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
ofile=\$tmpdir/.lmdup_vercheck.\$\$\
tmp_inspath=/usr/local/lmd_update\
rm -rf \$tmp_inspath\
rm -f \$ofile\
\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
\
eout "\{update\} checking for available updates..." 1\
\
\$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
                '"$PROG"'\
        fi\
else\
    echo "no update file found. try again later"\
    exit\
fi\
\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
\
exit;\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/libinotifytools.so.0

./install.sh

rm -r /tmp/maldetect-*

cd $CURDIR
Then just continue with this part of felans howto:
Quote:
If you want to run maldetect as a monitor, type
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

If you want to run the monitor at boot, we need to add some paths.
Now to add some paths to scan and monitor.

vi /usr/local/maldetect/maldetfilelist

Insert
/var/www/clients

Edit /etc/rc.local
vi /etc/rc.local

Insert
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
__________________
Marius Cramer

pixcept KG
Reply With Quote
The Following 3 Users Say Thank You to Croydon For This Useful Post:
concept21 (17th September 2012), falko (31st August 2012), Petr (4th September 2012)
  #4  
Old 30th August 2012, 20:19
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 10 Times in 5 Posts
Default

That is a pretty nice script, Corydon. Thanks!
Reply With Quote
  #5  
Old 3rd September 2012, 09:19
concept21 concept21 is offline
Senior Member
 
Join Date: Dec 2011
Posts: 155
Thanks: 28
Thanked 22 Times in 16 Posts
Default

Hi,
If I also run clamav, do it need to install this Malware Detect??
Reply With Quote
  #6  
Old 3rd September 2012, 09:21
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 10 Times in 5 Posts
Default

Hiya concept21.

If you have a lot of CMS sites and do not have time to check them all on a very regular basis, I would recommend it, since it catches PHP code that is injected in to the sites. This is not caught by most virus scanners.
Reply With Quote
The Following User Says Thank You to felan For This Useful Post:
concept21 (6th September 2012)
  #7  
Old 9th September 2012, 20:34
concept21 concept21 is offline
Senior Member
 
Join Date: Dec 2011
Posts: 155
Thanks: 28
Thanked 22 Times in 16 Posts
Question

Hi Friends,
Do you think whether your scripts will work on Ubuntu 10.04 64 bit OS or not? I am very interested in it.
Reply With Quote
  #8  
Old 9th September 2012, 21:07
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 10 Times in 5 Posts
Default

Without having tested it, I'd say it should.
Reply With Quote
  #9  
Old 4th October 2012, 19:20
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 932
Thanks: 16
Thanked 262 Times in 208 Posts
Default

There is one very important thing when using it with ispconfig.

In file maldet there is a line
users_tot=`cat /etc/passwd | grep -ic home`
this should be changed to
users_tot=`cat /etc/passwd | grep -ic var/www`

Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit!

You should change the content of the maldetfilelist file from
/var/www
to
/var/www/clients/*/web*/web
/var/www/clients/*/web*/private
at least if you use bind mounts or links inside the /var/www paths

I modified the installer script to match this.

/tmp/maldetect.sh
Code:
#!/bin/bash
# debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
# howto taken from howtoforge written by "felan":
# http://www.howtoforge.com/forums/showthread.php?p=284504
#

CURDIR=`pwd`
PROG=`readlink -f $0`

echo "Installing prerequisites..."
apt-get -y -q install inotify-tools sed

echo "Fetching latest version of maldetect..."
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*

echo "Modifying install script..."
sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;

echo "Modifying cron job..."
sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
        elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\
                # ispconfig\
                /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;

echo "Modifying maldet script..."
sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;

sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet;

sed -r -i '/lmdup\(\) \{.*$/ a\
ofile=\$tmpdir/.lmdup_vercheck.\$\$\
tmp_inspath=/usr/local/lmd_update\
rm -rf \$tmp_inspath\
rm -f \$ofile\
\
mkdir -p \$tmp_inspath\
chmod 750 \$tmp_inspath\
\
eout "\{update\} checking for available updates..." 1\
\
\$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
if \[ -s "\$ofile" \]; then\
        installed_ver=`echo \$ver | tr -d "."`\
        current_ver=`cat \$ofile | tr -d "."`\
        current_hver=`cat \$ofile`\
        if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                eout "\{update\} new version \$current_hver found, updating..." 1\
                '"$PROG"'\
        fi\
else\
    echo "no update file found. try again later"\
    exit\
fi\
\
rm -rf \$tmp_inspath \$ofile \$ofile_has\
\
exit;\
# skip all the rest\
' files/maldet;

echo "Modifying config..."
sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf

echo "Deleting unneccessary files..."
rm -f files/inotify/inotifywait
rm -f files/inotify/libinotifytools.so.0

./install.sh

rm -r /tmp/maldetect-*

echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist
echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist

cd $CURDIR

echo "If you want to run the monitor at boot, we need to add some paths."
echo ""
echo "vi /etc/rc.local"
echo ""
echo "Insert"
echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "
__________________
Marius Cramer

pixcept KG
Reply With Quote
The Following 3 Users Say Thank You to Croydon For This Useful Post:
fabienne (8th May 2014), Ovidiu (18th January 2013), SupuS (24th November 2013)
  #10  
Old 4th October 2012, 19:38
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 10 Times in 5 Posts
 
Default

Nice thanks, though now I get a whole lot of /usr/local/maldetect/maldet: line 213: ed: command not found when it adds a path to the array...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Compile php for ispconfig with zlib on Debian Lenny (Debian 5.0) [ISPConfig 2 mike_phi Installation/Configuration 0 23rd August 2010 15:52
ISPConfig 3.0.0.4 Beta Released till General 54 4th March 2009 09:55
Perfect setup Debian Etch ISPConfig - DNS Server kdclaver Installation/Configuration 16 28th December 2007 01:39
Postfix Problems Rocky Installation/Configuration 22 14th September 2006 09:03
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 04:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.