Linux Malware Detect on Debian 6 with ISPConfig 3

[Ovidiu]

Just wanted to ad that the problem disappeared once I did a clean re-install so it was most probably my mistake although I can't say what exactly it was. Nothing wrong with the script Croydon posted, it works flawless.

[Ovidiu]

Here comes another question:

I just got a report by the daily maldet run that informed me about 2 infected and quarantined files. Now I am wondering why the files have not been picked up by the monitor? maldet IS running as a monitor...

Shouldn't maldet running as monitor with inotify send me emails when an infection was found?

[Ovidiu]

Ok, I'll try my luck again even though it seems nobody is reading this thread anymore :-)

I got it all working just fine with one exception:

Every 1-2 days I find that maldet is no longer running in monitor mode. The inotify process is still there but maldet died. I then have to kill the inotify proces, restart maldet in monitor mode.
No idea why, nothing in my logs, anyone else seen this behavior?

[Tozz]

Despite the great effors in this thread (it solved my initial inotify troubles), using inotify to monitor malware isn't very usefull on bigger installations.

We have about 500 websites per server, and I found it to be impossible to use inotify to watch that many files. If seems /proc/sys/fs/inotify/max_user_watches has an upper limit, so when you set that to an insane limit it is ignored.

From what I found on Google max_user_watches is a regular int, so max_user_watches is limited to MAX_INT. There are plans to change this to a long, but from what I found that is not yet implemented in recent kernels.

[Tozz]

Quote:

Originally Posted by Ovidiu

Here comes another question:

I just got a report by the daily maldet run that informed me about 2 infected and quarantined files. Now I am wondering why the files have not been picked up by the monitor? maldet IS running as a monitor...

Shouldn't maldet running as monitor with inotify send me emails when an infection was found?

No, maldet monitor doesn't e-mail you immediatly. Instead the detection is logged, which is then e-mailed when /etc/cron.daily/maldet is ran. The cron script checks if a monitor is running and then runs maldet --report-daily.

[Ovidiu]

Quote:

Originally Posted by Tozz

No, maldet monitor doesn't e-mail you immediatly. Instead the detection is logged, which is then e-mailed when /etc/cron.daily/maldet is ran. The cron script checks if a monitor is running and then runs maldet --report-daily.

not happening for me :-(

[Tozz]

Quote:

Originally Posted by Ovidiu

not happening for me :-(

Do you have email_alert set to 1 in conf.maldet?

[Ovidiu]

Yes I have.

=>

Quote:

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert="1"

# The subject line for email alerts
email_subj="maldet alert from h2118175.stratoserver.net"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="ovidiu@pacura.ru"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean="0"