Linux Malware Detect on Debian 6 with ISPConfig 3

Discussion in 'Tips/Tricks/Mods' started by felan, Aug 30, 2012.

  1. felan

    felan HowtoForge Supporter

    I just added this system to two production servers and felt like sharing this with the rest of you. THe system is pretty good at detecting malware in websites. Hope you will all enjoy it.
    -----
    To install maldet

    1. Install

    First we need to install inotify-tools

    apt-get install inotify-tools

    Now we are ready to install maldetect. Run the following commands.

    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -xzvf maldetect-current.tar.gz
    cd maldetect-*
    sh install.sh


    2. Configuring your system.

    First we need to modify the main script to work with Debian.

    Edit
    vi /usr/local/maldetect/maldet

    Replace the line that starts with $nice in the main maldet script with the following:
    $nice -n $inotify_nice $inotify -r --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" –format "%w%f %e %T" -m -e create,move,modify >> $inotify_log 2>&1 &

    Close and save.

    Edit
    vi /usr/local/maldetect/internals.conf

    Find inotify= and change the value to /usr/bin/inotifywait

    Next delete inotifywait and libinotifytools.so.0

    rm -rf /usr/local/maldetect/inotify/inotifywait
    rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

    Next step is to make sure that the cronjob works as it should.

    vi /etc/cron.daily/maldet

    Comment out
    /usr/local/maldetect/maldet -d >> /dev/null 2>&1

    This prevents it from upgrading itself. If it does, all the changes we've just made, will disapear. It is better to upgrade manually until we get proper debian support in the package.

    Next comment out
    /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

    Add this beneath instead.
    # Instead use ISPConfig 3 path var/www
    /usr/local/maldetect/maldet -b -r /var/www

    Comment out these lines as well, as they are not needed.
    if [ -d "/var/www/html" ]; then
    /usr/local/maldetect/maldet -b -r /var/www/html 2
    fi
    if [ -d "/usr/local/apache/htdocs" ]; then
    /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
    fi

    Save and quit.

    If you want to run maldetect as a monitor, type
    /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

    If you want to run the monitor at boot, we need to add some paths.
    Now to add some paths to scan and monitor.

    vi /usr/local/maldetect/maldetfilelist

    Insert
    /var/www/clients

    Edit /etc/rc.local
    vi /etc/rc.local

    Insert
    /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
     
  2. Croydon

    Croydon HowtoForge Supporter

    Thanks for this howto.

    I would suggest some changes, though.

    Instead of changing the cron line I would simply add the following below the psa check
    Code:
    elif [ -d "/usr/local/ispconfig" ]; then
    # ispconfig
    /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1
    Before you call the install.sh of the maldet software remove the following line from it:
    cp $inspath/inotify/libinotifytools.so.0 /usr/lib/
    It should not work anyway copying this file as a symlink with this name exists, but who knows... The line exists 2 times in the script.
     
  3. Croydon

    Croydon HowtoForge Supporter

    I have written a shell script to take care of most of those things - you can even leave the autoupdate in place I think, because the maldet file is modified.
    Just take care that the shell script stays at the same place as it was on first call as it is called during update of maldet.

    Code:
    #!/bin/bash
    # debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
    # howto taken from howtoforge written by "felan":
    # http://www.howtoforge.com/forums/showthread.php?p=284504
    #
    
    CURDIR=`pwd`
    PROG=`readlink -f $0`
    
    echo "Installing prerequisites..."
    apt-get -y -q install inotify-tools sed
    
    echo "Fetching latest version of maldetect..."
    cd /tmp
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -xzf maldetect-current.tar.gz
    cd maldetect-*
    
    echo "Modifying install script..."
    sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;
    
    echo "Modifying cron job..."
    sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
            elif [ -d "/usr/local/ispconfig" ]; then\
                    # ispconfig\
                    /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;
    
    echo "Modifying maldet script..."
    sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;
    
    sed -r -i '/lmdup\(\) \{.*$/ a\
    ofile=\$tmpdir/.lmdup_vercheck.\$\$\
    tmp_inspath=/usr/local/lmd_update\
    rm -rf \$tmp_inspath\
    rm -f \$ofile\
    \
    mkdir -p \$tmp_inspath\
    chmod 750 \$tmp_inspath\
    \
    eout "\{update\} checking for available updates..." 1\
    \
    \$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
    if \[ -s "\$ofile" \]; then\
            installed_ver=`echo \$ver | tr -d "."`\
            current_ver=`cat \$ofile | tr -d "."`\
            current_hver=`cat \$ofile`\
            if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                    eout "\{update\} new version \$current_hver found, updating..." 1\
                    '"$PROG"'\
            fi\
    else\
        echo "no update file found. try again later"\
        exit\
    fi\
    \
    rm -rf \$tmp_inspath \$ofile \$ofile_has\
    \
    exit;\
    # skip all the rest\
    ' files/maldet;
    
    echo "Modifying config..."
    sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf
    
    echo "Deleting unneccessary files..."
    rm -f files/inotify/inotifywait
    rm -f files/inotify/libinotifytools.so.0
    
    ./install.sh
    
    rm -r /tmp/maldetect-*
    
    cd $CURDIR
    
    Then just continue with this part of felans howto:
     
  4. felan

    felan HowtoForge Supporter

    That is a pretty nice script, Corydon. Thanks!
     
  5. concept21

    concept21 Member

    Hi,
    If I also run clamav, do it need to install this Malware Detect??
     
  6. felan

    felan HowtoForge Supporter

    Hiya concept21.

    If you have a lot of CMS sites and do not have time to check them all on a very regular basis, I would recommend it, since it catches PHP code that is injected in to the sites. This is not caught by most virus scanners.
     
  7. concept21

    concept21 Member

    Hi Friends,
    Do you think whether your scripts will work on Ubuntu 10.04 64 bit OS or not? I am very interested in it. :rolleyes:
     
  8. felan

    felan HowtoForge Supporter

    Without having tested it, I'd say it should.
     
  9. Croydon

    Croydon HowtoForge Supporter

    There is one very important thing when using it with ispconfig.

    In file maldet there is a line
    users_tot=`cat /etc/passwd | grep -ic home`
    this should be changed to
    users_tot=`cat /etc/passwd | grep -ic var/www`

    Otherwise the maldet inotify monitor will very soon run into trouble as of watch limit!

    You should change the content of the maldetfilelist file from
    /var/www
    to
    /var/www/clients/*/web*/web
    /var/www/clients/*/web*/private
    at least if you use bind mounts or links inside the /var/www paths

    I modified the installer script to match this.

    /tmp/maldetect.sh
    Code:
    #!/bin/bash
    # debian-specific installation script by M. Cramer <m.cramer@pixcept.de>
    # howto taken from howtoforge written by "felan":
    # http://www.howtoforge.com/forums/showthread.php?p=284504
    #
    
    CURDIR=`pwd`
    PROG=`readlink -f $0`
    
    echo "Installing prerequisites..."
    apt-get -y -q install inotify-tools sed
    
    echo "Fetching latest version of maldetect..."
    cd /tmp
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -xzf maldetect-current.tar.gz
    cd maldetect-*
    
    echo "Modifying install script..."
    sed -r -i 's/^(.*cp.*\/libinotifytools.so\.0[ ]+\/usr\/lib\/.*)$/#\1/g' install.sh;
    
    echo "Modifying cron job..."
    sed -r -i '/maldet.*\/var\/www\/vhosts\/\?\/subdomains\/\?\/httpdocs.*$/ a\
            elif [ -d "/usr/local/ispconfig" || -d "/root/ispconfig" ]; then\
                    # ispconfig\
                    /usr/local/maldetect/maldet -b -r /var/www 2 >> /dev/null 2>&1' cron.daily;
    
    echo "Modifying maldet script..."
    sed -r -i 's/^\$nice .*$/\$nice -n \$inotify_nice \$inotify -r --fromfile \$inotify_fpaths \$exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> \$inotify_log 2>\&1 \&/g' files/maldet;
    
    sed -r -i 's/cat \/etc\/passwd \| grep -ic home/cat \/etc\/passwd \| grep -ic var\/www/g' files/maldet;
    
    sed -r -i '/lmdup\(\) \{.*$/ a\
    ofile=\$tmpdir/.lmdup_vercheck.\$\$\
    tmp_inspath=/usr/local/lmd_update\
    rm -rf \$tmp_inspath\
    rm -f \$ofile\
    \
    mkdir -p \$tmp_inspath\
    chmod 750 \$tmp_inspath\
    \
    eout "\{update\} checking for available updates..." 1\
    \
    \$wget --referer="http://www.rfxn.com/LMD-\$ver" -q -t5 -T5 "\$lmdurl_ver" -O \$ofile >> /dev/null 2>\&1\
    if \[ -s "\$ofile" \]; then\
            installed_ver=`echo \$ver | tr -d "."`\
            current_ver=`cat \$ofile | tr -d "."`\
            current_hver=`cat \$ofile`\
            if \[ "\$current_ver" -gt "\$installed_ver" \]; then\
                    eout "\{update\} new version \$current_hver found, updating..." 1\
                    '"$PROG"'\
            fi\
    else\
        echo "no update file found. try again later"\
        exit\
    fi\
    \
    rm -rf \$tmp_inspath \$ofile \$ofile_has\
    \
    exit;\
    # skip all the rest\
    ' files/maldet;
    
    echo "Modifying config..."
    sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf
    
    echo "Deleting unneccessary files..."
    rm -f files/inotify/inotifywait
    rm -f files/inotify/libinotifytools.so.0
    
    ./install.sh
    
    rm -r /tmp/maldetect-*
    
    echo "/var/www/clients/*/web*/web" > /usr/local/maldetect/maldetfilelist
    echo "/var/www/clients/*/web*/private" >> /usr/local/maldetect/maldetfilelist
    
    cd $CURDIR
    
    echo "If you want to run the monitor at boot, we need to add some paths."
    echo ""
    echo "vi /etc/rc.local"
    echo ""
    echo "Insert"
    echo "/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist "
     
  10. felan

    felan HowtoForge Supporter

    Nice thanks, though now I get a whole lot of /usr/local/maldetect/maldet: line 213: ed: command not found when it adds a path to the array...
     
  11. Croydon

    Croydon HowtoForge Supporter

    Install the "ed" package ;)
     
  12. felan

    felan HowtoForge Supporter

    Doh! Thanks, had overlooked that one...
     
  13. concept21

    concept21 Member

    HI,
    I have installed rootkit hunter. Do I still need this MalDetect?
     
  14. felan

    felan HowtoForge Supporter

    I would say yes. Rootkit hunter checks your system for rootkits, where maldet checks websites for PHP based malware.
     
  15. concept21

    concept21 Member

    HI,
    I have got this error in /usr/local/maldetect/inotify/inotify_log. How to correct it??

    My OS is Ubuntu 10.04 64 bit. Thanks.



    The '--filename' option no longer exists. The option it enabled in earlier
    versions of inotifywait is now turned on by default.
     
  16. falko

    falko Super Moderator

    Just leave that option out. It is now enabled by default.
     
  17. concept21

    concept21 Member

    I have searched the main script file maldetect for the word "filename" but nothing is found.
     
  18. Ovidiu

    Ovidiu Active Member

    Hi there,

    I've run this maldet.sh install script and everything seems fine except that when I run:
    Code:
    /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist 
    I get:
    Code:
    oot@h2118175:~# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
    Linux Malware Detect v1.4.1
                (C) 2002-2011, R-fx Networks <proj@r-fx.org>
                (C) 2011, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(7733): {mon} set inotify max_user_instances to 128
    maldet(7733): {mon} set inotify max_user_watches to 46080
    [COLOR="Red"]/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7733: No such file or directory
    [/COLOR]maldet(7733): {mon} added /var/www/clients/client2/web1/web to inotify monitoring array
    [COLOR="red"]maldet(7733): {mon} ignored invalid path /var/www/clients/*/web*/private[/COLOR]
    maldet(7733): {mon} starting inotify process on 1 paths, this might take awhile...
    [COLOR="red"]maldet(7733): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.[/COLOR]
    So something isn't right here yet.

    The log file says:

    Code:
    root@h2118175:~# cat /usr/local/maldetect/inotify/inotify_log 
    /usr/bin/inotifywait: error while loading shared libraries: libinotifytools.so.0: wrong ELF class: ELFCLASS32
    Any idea what could be wrong? Running this on Debian Squeeze. Btw. I had installed this before, as per the original from the author and since I couldn't get the monitor to work I had given up. Just wondering why my original config file: /usr/local/maldetect/conf.maldet is still there, shouldn't it have been overwritten by this modified installer script?

     
  19. Ovidiu

    Ovidiu Active Member

    Another weird issue, the daily maldet cron reports:

    line 28:
     
  20. Ovidiu

    Ovidiu Active Member

    Anyone? any hints?
     

Share This Page