Linux Malware Detect on Debian 6 with ISPConfig 3

Discussion in 'Tips/Tricks/Mods' started by felan, Aug 30, 2012.

  1. concept21

    concept21 Member

    Did you see the first post's date and my last post's date? :rolleyes:
     
  2. dayjahone

    dayjahone Member

    Thanks for the reply, but I'm still confused. I tried doing a straight install with no modification and I get this:

    Code:
    :~/maldetect-1.4.2# /usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
    Linux Malware Detect v1.4.2
                (C) 2002-2013, R-fx Networks <[email protected]>
                (C) 2013, Ryan MacDonald <[email protected]>
    inotifywait (C) 2007, Rohan McGovern <[email protected]>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(27746): {mon} set inotify max_user_instances to 128
    maldet(27746): {mon} set inotify max_user_watches to 30720
    maldet(27746): {mon} no valid option or invalid file/path provided, aborting.
     
  3. Ovidiu

    Ovidiu Active Member

    @concept21: who're you talking to? Not getting your comment...

    @dayjahone:
    - does this file exist? => /usr/local/maldetect/maldetfilelist
    - if yes, open it and check the path, do they look ok?
    - how about you simply follow the isntallation instructions again, same error?
     
  4. dayjahone

    dayjahone Member

    @concept21: /usr/local/maldetect/maldetfilelist exists, but the only thing in it is
    I went to that file and see a list of all the clients.

    I tried to do a fresh install. When I do the install script now, I get the following error:

    Code:
    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    
    install.sh: line 72: .: .ca.def: file not found
    I powered through and am not sure if the inotify line should be
    or
    I left out the $inspath

    When I run it, I get the following:

    Code:
    maldet(11141): {mon} set inotify max_user_instances to 128
    maldet(11141): {mon} set inotify max_user_watches to 30720
    /usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.11141: No such file or directory
    maldet(11141): {mon} added /var/www/clients to inotify monitoring array
    maldet(11141): {mon} starting inotify process on 1 paths, this might take awhile...
    maldet(11141): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
     
  5. concept21

    concept21 Member

    It uses its own inotify:
    /usr/local/maldetect/inotify/


    In my case, maldect v1.4.2 is fully compatible with Ubuntu 10.04 amd64. Here is its daily cron task record, no more modification is needed. :)
     

    Attached Files:

  6. Ovidiu

    Ovidiu Active Member

    Weird, this is the only changelog of this year:
    Going to give the original version another try on Debian Wheezy now :)

    ###edit###
    Just realized the last change was 2013 so not sure why anyone claims things have changed?Can anyone clarify what new version you guys are talking about?
     
    Last edited: Nov 23, 2014
  7. concept21

    concept21 Member


    When your installation completes, please contact me for donation account number. I need some $ these days. :)
     
  8. Ovidiu

    Ovidiu Active Member

    @concept21: I think maldet had its own inotify for some time, when this thread started: 30th August 2012, 10:19 one of the changes that this script introduces is to delete the built-in inotify and set the path to the system inotify:


    And what about the other changes for Debian and ISPCFG3 fixes, i.e.

     
  9. concept21

    concept21 Member

    If you modify the daily cron maldet script, it will be overwritten everytime Maldet is updated or upgraded.

    Instead, you can create a link from /usr/local/apache/htdocs/ to var/www or to any web you like. My maldet daily cron log mentioned above shows it works. :cool:
     

    Attached Files:

  10. dayjahone

    dayjahone Member

    @concept21: do you know what I did wrong? I followed all of the instructions in the initial post. Now I get the following:

    Code:
    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet
    
    install.sh: line 72: .: .ca.def: file not found
     
  11. DDArt

    DDArt Member

    I know this is an old post and I have been using maldet for awhile now but after going through some folder I was surprised to find more than I thought.

    Remember that maldet will throw out a lot of false positive and you need to check it manually. There are quite few wordpress scripts out there or addons to work with PNG Base64 for display, resize and misc. That'll throw a false positive. I ended up reversing it what it has found.

    A shocker was for me was because scanning /var/www/*/web/ -- I had my ISP3 partial quarantined, files such as: dbispconfig.sql, mlocate.db.

    So to avoid the proper way was to use /var/www/clients/* instead of /var/www/?/web/
    Hope this sheds some light on this otherwise you can end up with a broken control panel.
     
  12. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I would not recommend using automatic quarantining. That feature is way too dangerous because of a lot false positives in general. Just enable email reports and check the hits manually. To be honest, I do not use maldet anymore on most servers. I use some third-party-signatures, some own signatures and then run clamav checks.
     
  13. Ovidiu

    Ovidiu Active Member

    @Croydon - I had been using it until now, just about to move servers, would you mind sharing your new solution?
     
  14. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I have switched to ispprotect.com (an ISPConfig service) so I do not have to care about :)
     
  15. Ovidiu

    Ovidiu Active Member

    :) very nice service, I didn't know they were offering that. Are there any screenshots available anywhere? Do you have a GUI or do you simply install an agent for them and that's it for you?
     
  16. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You install an agent on the server that communicates via api.
    There's no gui currently, so I have no screenshots, but this is a sample e-mail that is sent:
    or
     
  17. Ovidiu

    Ovidiu Active Member

    very cool, I'm impressed about the 2nd one, that's impressive that they scan for that kind of vulnerability. Curious what the technology behind it is :)
     
  18. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    It's just a list maintained by them of important vulnerabilites of widely used plugins and web software.
     
  19. Ovidiu

    Ovidiu Active Member

    I edited your script in one place and it looks like its still working with maldet 1.5.0:
    Code:
    sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals.conf
    change to
    Code:
    sed -r -i 's/^inotify=.*$/inotify=\/usr\/bin\/inotifywait/g' files/internals/internals.conf
     
  20. Ovidiu

    Ovidiu Active Member

    hm, noticed that everytime I run your script, my old config gets reset but there is a /usr/local/maldet.last which is a symlink to an older version so not sure why my config gets reset :-(
     

Share This Page