Linux Malware Detect (LMD, or maldet) allows you to easily spot malware within your website files.
Its developer, R-fx Networks, maintains high-quality malware definitions. Whether you suspect malware in your site, or intend to tighten your website’s security – Malware Detect is a must-have / must-use software.
Installing Malware Detect (maldet)
Setup GetPageSpeed repository
yum install https://extras.getpagespeed.com/release-latest.rpm
Install Malware Detect
yum install maldet
Upon installing the package, it will immediately download its definition updates.
This will install few dependent packages which ensure the efficiency of scanning (namely clamav scanner and inotify-tools).
Use Malware Detect
Scan a directory for malware
Now that Malware Detect is installed, you can scan a directory for malware like this:
maldet --scan-all /var/www
Continuously watch directories for malware
One great feature of Malware Detect is being able to scan an entire directory for new/changed files.
This is especially useful for WordPress websites or other well-known CMS-es where each plugin contributes to lessened security. If you have a vulnerable plugin and hackers are able to upload malware, then it can be automatically cleaned up by Malware Detect.
To setup monitoring, edit /etc/maldet/maldet.conf and uncomment either of the lines:
# default_monitor_mode="users"
# default_monitor_mode="/var/lib/maldet/monitor_paths"
With default_monitor_mode="users" the scanning is most appropriate for cPanel servers, as this will result in continuous watching of files within each directory /home/<username>/public_html.
If you choose default_monitor_mode="/var/lib/maldet/monitor_paths" then you can specify exact directories you want to be scanned by editing /var/lib/maldet/monitor_paths.
So you can edit /var/lib/maldet/monitor_paths and specify each monitored directory on a new line like this:
/var/www
/some/other/directory
Make sure that the directories you specify actually exist, or else the monitoring service will fail to start.
Enable and start malware monitoring
systemctl enable maldet
systemctl start maldet
More Tips
It is important to understand the differences between clamav and clamd. When we installed Malware Detect, clamav was installed as a dependency package. It is meant primarily for one-off scanning and will help to improve the performance of manual Malware Detect scans, e.g. launched via --scan-all option.
In case of continuous file monitoring, you may want to additionally install clamd package which contains the scanning daemon. Having it installed as well, will make maldet monitoring more efficient.
Configuring clamd scanning service will be covered in future posts. Stay tuned!