If you are running a server OR cloud VPS system then you know how important it is to protect your server. There are malicious ‘folk’ always trying to hack into your server. If they are successful then they most probably will add in malware and in more serious cases viruses.

The good news is you can add a Linux server malware scanner to your system fairly easily and quickly. You can install Linux Malware Detect (LMD) which is licensed under the GNU GPLv2 license. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.It’s free and simple to use. You need to have root SSH access in order to complete this.

Installing LMD is a very easy process, lets get right into it. login to SSH (you can use Putty for this)

Step 1 – Download Linux Server Malware Scanner

Go to the following path via SSH:

cd /usr/local/src/

You then need to download the latest version of Linux Server Malware Scanner:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

After this you need to extract the compressed files so you can install and use them

tar xfz maldetect-current.tar.gz

Step 2 – Install Linux Server Malware scanner

Navigate to the newly created folder

cd maldetect-*

Installing Linux server malware scanner

./install.sh OR sh ./install.sh OR sudo sh ./install.sh

Once this is complete your SSH screen will show you output that is similar too

Linux Malware Detect v1.3.4 (C) 1999-2010, R-fx Networks <proj@r-fx.org> (C) 2010, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet cron.daily: /etc/cron.daily/maldet maldet(35517): {sigup} performing signature update check... maldet(35517): {sigup} local signature set is version 2010051510029 maldet(35517): {sigup} latest signature set already installed

Thats it. Its now fully installed. you can now configure some additional settings to your specific requirements.

Step 3 – Configure Linux Malware Server Scanner

By default all options are already setup. They are also fully commented in the provided configuration file. You can customise and configure the file according to your specific needs. Before making any changes to the LMD file let’s quickly look at the options avalible:

email_alert : If you need to receive email alerts, then this option should be set to 1. email_subj : Set your email subject here in this line. email_addr : Enter your specific email address to receive malware alerts on this line. quar_hits : The default quarantine action for any malware hits, we recommend that it should be set 1. quar_clean : The action to be taken for cleaning detected malware injections, this is highly recommended to be set to 1.

There are a few other options but the most basic and simple ones that you need are stated above. So to make the changes according to your needs navigate to file /usr/local/maldetect/conf.maldet

nano /usr/local/maldetect/conf.maldet

To update the Linux Server Malware Scanner you can use the commands below.

maldet –update-ver maldet –update maldet -u or maldet -d

Step 4 – using Linux Server Malware Scanner (LMD)

The usage of LMD is very simple and there is a detailed –help output that provides common usage examples, we strongly recommend you check the –help output and spend a few minutes reviewing it.

The first thing most users are looking to do when they get LMD installed is to scan a certain path or series of paths. An important note is that LMD uses the ‘?’ character for wildcards instead of the ‘*’ char. In the below examples I will be using the long form flags but they are interchangeable with the short form flags (i.e: –scan-recent = -r).

If we wanted to scan all user public_html paths under /home*/ this can be done with:

maldet --scan-all /home?/?/public_html

If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run:

maldet --scan-recent /home?/?/public_html 2

If you performed a scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

maldet --quarantine SCANID

Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:

maldet --clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

maldet --restore config.php.2664 maldet --restore /usr/local/maldetect/quarantine/config.php.2664

Once again, we strongly encourage you to fully review the –help output for details on all options and the README file for more details on how Linux server malware scanner (LMD) works.