Linux Malware Detect - antivirus for web servers

The Internet is not the same as before - there are enemies around. The topic of detecting a direct infection of the site and searching for malicious / infected scripts on the hacked site is poorly considered, let's try to fix it.
So, we present to your attention Linux Malware Detect.

Linux Malware Detect (LMD) is a Linux scanner designed to search for web shells, spam bots, trojans, malicious scripts and other typical threats specific to web spaces and is especially relevant for virtual shared hosting platforms. The main difference from other Linux antiviruses is its web orientation, scanning of website files, because ordinary antiviruses focus on more global threats at the system level.

What can

  • Search for threats using the MD5 database and recognizing the type of threat (for example, php.cmdshell.nan.296.HEX) using the HEX database.
  • Statistical analysis of files for the presence of obfuscated malware and injections.
  • Detection of the installed ClamAV system for use as a scanner.
  • Manual and automatic (crown) signature updates.
  • Manual and automatic update of the version of the script itself.
  • Ability to scan recently added / modified files (for example, in the last 2 days).
  • Option to upload detected potential threats to the official website for analysis.
  • Reporting system.
  • Cleaning files from malicious injections.
  • Cron blanks to run regular scans of userspace or other directories.
  • Exception sets for extensions, signatures, and paths.
  • Ability to send scan results to e-mail.
  • Real-time monitoring of created / modified / modified files with inotify_watch: monitoring of selected users, directories or files.
  • … etc.

How it works

Scanning occurs using your own grep-based script, and if ClamAV is installed on the system, then using clamscan. Similarly with signatures: the program has its own signature base; if ClamAV is installed in the system, it also uses its base.

Signature Sources:

  1. Network data slice. The LMD developer is a hosting administrator for 35,000 sites, the data is analyzed and processed daily. The main source of signatures.
  2. Community data collected from anti-malware sites.
  3. ClamAV, Signature Interchange.
  4. Data sent by users.

Signatures are updated almost daily, an RSS feed with signature updates is available on the official website.

Scan results are saved to a file, and can also be sent to the e-mail specified in the config. Integration with popular control panels, alas, no, if you are a hoster, you will have to manually send messages to clients.

Integration with the popular ISPmanager and Cpanel panels would be a good contribution to the community (this is in case anyone wants it).

What does it give

  • Allows you to monitor the security of your sites on VDS and DS.
  • Hosters - daily scanning and sending alerts to customers will increase customer loyalty, which are often very far from coding knowledge and security basics.
  • If your site or the client’s site is hacked, you will know about it either immediately (if real-time monitoring is enabled), or during the period selected for cron-scanning. After all, “warned means armed”: infected sites most often become sources of spamming with all the consequences (for example, IP blacklisting in DNSBL).

Typical Detection Examples

The scan report is as follows:
malware detect scan report for servername:
SCAN ID: 090913-1000.17637
TIME: Sep 9 16:04:40 +0300
PATH: /var/www
RANGE: 2 days

{HEX}php.cmdshell.unclassed.344 : www/user1/data/www/
{HEX}php.cmdshell.cih.215 : /var/www/user1/data/www/
{CAV}PHP.Trojan.Spambot : www/user1/data/www/
{HEX}php.nested.base64.513 : /var/www/user1/data/www/
{HEX}base64.inject.unclassed.6 : /var/www/user1/data/www/ 
{HEX}gzbase64.inject.unclassed.14 : /var/www/user1/data/director/



tar -zxvf maldetect-current.tar.gz

We start the installation:
sh ./

When you run, the installer places the LMD files in / usr / local / maldetect, puts the executable script in / usr / local / sbin, and in / usr / lib.

During the installation, daily crown jobs are automatically created to update signatures and start scanning. By default, the configuration contains typical paths for scanning webspaces of popular control panels, such as ensim, psa, DirectAdmin, cpanel, interworx and default apache paths for hosting sites (/ var / www / html, / usr / local / apache / htdocs). For ISPmanager, the path / var / www / will have to be added manually.


The LMD config is located in the /usr/local/maldetect/conf.maldet file.
The config is well documented and allows you to configure whatever your heart desires.

On a note:

ionice -c 3 added to the script launch lines for searching and scanning files will help prevent the load on the disk subsystem by setting the lowest priority i / o.

In the file / usr / local / maldetect / maldet
we find:

change to:
find="ionice -c 3 $find"

we find:

change to:
clamscan="ionice -c 3  $clamscan"

It is worth noting that this solution is a kind of “crutch”, this option should be added to the upstream.

Typical teams

We start scanning the specified directory:
# maldet -a /home/user1/

At the end we get a result of the form:
maldet(24128): {scan} scan completed on files 4, malware hits 0, cleaned hits 0
maldet(24128): {scan} scan report saved, to view run: maldet --report 091713-1715.24128

We look at the report:
#maldet --report 091713-1715.24128

Force updating the database with
#maldet -u

Force update from
#maldet -d

We scan all files changed in the last X days (in this case 2) in the specified directory
#maldet -r /home/user1/ 2

We send an unknown vulnerability to
#maldet -c /home/user1/file.php

Quarantine SCANID scan results (id from scan results)
#maldet -q 091713-1715.24128

Trying to clear scan results
#maldet -n, --clean 091713-1715.24128

The program is licensed under the GNU GPLv2.
Official project page: Linux Malware Detect.

I have experience in using and customizing, I will be happy to answer all questions in the comments.