R-fx Networks

LMD 1.3.7: Milestones, Fixes & Signature Updates

by on Nov.27, 2010, under Development

Today marks the release of LMD 1.3.7, which is a minor release update that fixes a few bugs and is also the final 1.x release before version 2.0 as described in the LMD: one year later blog post. The bug list for LMD has remained very small over the last 6 months and this release reflects that by fixing the current outstanding bugs.

Changes 1.3.6 => 1.3.7:
[Fix] package ownership at some point got set to uid 501 instead of root
[Fix] daily cronjob now checks ps output for inotifywait proc instead of pidof
[Fix] monitor mode users would exit prematurely if a user home path did not exist
[Fix] a file hijacking race condition existed with quarantine mode restore function
[Fix] inotify max_user_instances value was being set to a value that would cause inotifywait
to fail

A thanks goes out to Mark McKinstry of Nexcess.net for assistance tracking down and fixing the issue with inotifywait reporting on some systems that inotify support did not exist in the kernel, when it actually did, this was an issue with the value maldet was setting for inotify max_user_instances. A thanks also goes out to Jeff Patersen from webhostsecurity.com for identifying and bringing the file hijacking race condition to my attention. This issue had the potential, under certain circumstances, to allow a user to gain access to root-owned files in user-readable paths. These fixes on their own are reason enough for all users to update, the -d|–update-ver command switches will take care of all update business for users so there is no reason to not update (i.e: # maldet -d).

Today I have also put up a small set of signature updates on top of the regular daily queue processing, this includes 25 HEX signatures for various items in the review queue as well as associated file hashes. This brings the project to over 5,000 signatures, a milestone that has been a long time coming and one that sets this project apart from all other malware projects in the Linux world. Even the top tier AV vendors and open source project ClamAV lack the depth of malware signatures that LMD brings to the Linux community. At the moment, the project is growing by an average of 14 signatures per day with a review queue that I still need to finish processing of over 1300 user submissions.

We also can celebrate another milestone this month, with passing 3,000 confirmed installations of LMD (3,241 as of this writing). We can determine this by checking the number of unique IP addresses (servers) that check-in daily to the rfxn.com server for signature updates. The total downloads of LMD sit at 12,952 to date, which is roughly where we expect it to be having had 3 major releases (minor releases dont get much attention) that most users would have installed or updated to.

As a holiday gift to all LMD users, I am making it my goal to have all pending items in the review queue processed and signatures created by the end of December, so keep your eyes open and i’ll make a post when that has been completed.

:,

1 Comment for this entry

  • hello

    i have the scanner installed on many servers and it works very well , but in one single server it has an issue the scanner is not detecting known dangerous files , see below :

    root@imz [/home/zqertco/public_html/topics/cache]#
    root@imz [/home/zqertco/public_html/topics/cache]# ls
    ./ ../ .htaccess izriperl.izri jpg.jpg s/ w.php x1@
    root@imz [/home/zqertco/public_html/topics/cache]# maldet -a /home/zqertco/public_html/topics/cache/
    Linux Malware Detect v1.3.7
    (C) 2002-2010, R-fx Networks
    (C) 2010, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(2782): {scan} signatures loaded: 5065 (3420 MD5 / 1645 HEX)
    maldet(2782): {scan} building file list for /home/zqertco/public_html/topics/cache/, this might take awhile…
    maldet(2782): {scan} file list completed, scanning 5 files…
    maldet(2782): {scan} 5/5 files scanned: 0 hits 0 cleaned
    maldet(2782): {scan} scan completed on /home/zqertco/public_html/topics/cache/: files 5, malware hits 0, cleaned hits 0
    maldet(2782): {scan} scan report saved ‘maldet –report 120110-0234.2782′

Leave a Reply

Looking for something?

Use the form below to search the site:

Site Links

A few links to navigate our site quicker...