Linux Malware Detect

Current Release:
http://www.rfxn.com/downloads/maldetect-current.tar.gz
http://www.rfxn.com/appdocs/README.maldetect
http://www.rfxn.com/appdocs/CHANGELOG.maldetect

Description
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

The commercial products available for malware detection and remediation in multi-user shared environments remains abysmal. An analysis of 8,883 malware hashes, detected by LMD 1.5, against 30 commercial anti-virus and malware products paints a picture of how poorly commercial solutions perform.

DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931

Using the Team Cymru malware hash registry, we can see that of the 8,883 malware hashes shipping with LMD 1.5, there was 6,931 or 78% of threats that went undetected by 30 commercial anti-virus and malware products. The 1,951 threats that were detected had an average detection rate of 58% with a low and high detection rate of 10% and 100% respectively. There could not be a clearer statement to the need for an open and community driven malware remediation project that focuses on the threat landscape of multi-user shared environments.

Features:
– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions

Source Data:
The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.

There are four main sources for malware data that is used to generate LMD signatures:
Network Edge IPS: Through networks managed as part of my day-to-day job, primarily web hosting related, our web servers receive a large amount of daily abuse events, all of which is logged by our network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate. The vast majority of LMD signatures have been derived from IPS extracted data.
Community Data: Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.
ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate. To date there has been roughly 400 signatures ported from ClamAV while the LMD project has contributed back to ClamAV by submitting over 1,100 signatures and continues to do so on an ongoing basis.
User Submission: LMD has a checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.

Signature Updates:
The LMD signature are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction and other sources. The updating of signatures in LMD installations is performed daily through the default cron.daily script with the –update option, which can be run manually at any time.

An RSS feed is available for tracking malware threat updates: http://www.rfxn.com/api/lmd

Detected Threats:
LMD 1.5 has a total of 10,822 (8,908 MD5 / 1,914) signatures, before any updates. The top 60 threats by prevalence detected by LMD are as follows:

base64.inject.unclassed     perl.ircbot.xscan
bin.dccserv.irsexxy         perl.mailer.yellsoft
bin.fakeproc.Xnuxer         perl.shell.cbLorD
bin.ircbot.nbot             perl.shell.cgitelnet
bin.ircbot.php3             php.cmdshell.c100
bin.ircbot.unclassed        php.cmdshell.c99
bin.pktflood.ABC123         php.cmdshell.cih
bin.pktflood.osf            php.cmdshell.egyspider
bin.trojan.linuxsmalli      php.cmdshell.fx29
c.ircbot.tsunami            php.cmdshell.ItsmYarD
exp.linux.rstb              php.cmdshell.Ketemu
exp.linux.unclassed         php.cmdshell.N3tshell
exp.setuid0.unclassed       php.cmdshell.r57
gzbase64.inject             php.cmdshell.unclassed
html.phishing.auc61         php.defash.buno
html.phishing.hsbc          php.exe.globals
perl.connback.DataCha0s     php.include.remote
perl.connback.N2            php.ircbot.InsideTeam
perl.cpanel.cpwrap          php.ircbot.lolwut
perl.ircbot.atrixteam       php.ircbot.sniper
perl.ircbot.bRuNo           php.ircbot.vj_denie
perl.ircbot.Clx             php.mailer.10hack
perl.ircbot.devil           php.mailer.bombam
perl.ircbot.fx29            php.mailer.PostMan
perl.ircbot.magnum          php.phishing.AliKay
perl.ircbot.oldwolf         php.phishing.mrbrain
perl.ircbot.putr4XtReme     php.phishing.ReZulT
perl.ircbot.rafflesia       php.pktflood.oey
perl.ircbot.UberCracker     php.shell.rc99
perl.ircbot.xdh             php.shell.shellcomm

Real-Time Monitoring:
The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:
http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:
USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS: A comma spaced list of paths to monitor
FILE: A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of
its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage.

See http://www.rfxn.com/appdocs/README.maldetect for more details on inotify monitoring.

Funding:
Funding for the continued development and research into this and other projects, is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional small donation to help ensure the future of our public projects.

211 Replies to “Linux Malware Detect”

  1. As for the problem with Modsec 2.7, it seems this can be workaround by appending an unused Action ID (required for every rule since 2.7). So to integrate with Modsecurity the following works for an example:

    ## – Maldetect integration
    SecRequestBodyAccess On
    SecRule FILES_TMPNAMES “@inspectFile /usr/local/maldetect/modsec.sh” \
    “id:’999999′,log,auditlog,deny,severity:2,phase:2,t:none”

  2. Maldet has been awesome so far, and we have been using it together with Modsecurity.

    However, the Modsecurity integration no longer works since Modsecurity 2.7 was released.

    Error:

    [….] Starting web server: apache2Syntax error on line 25 of /etc/apache2/modsecurity/modsecurity_crs_10_config.conf:
    ModSecurity: No action id present within the rule
    Action ‘start’ failed.

    On line 25 is:
    SecRule FILES_TMPNAMES “@inspectFile /usr/local/maldetect/modsec.sh” \
    “log,auditlog,deny,severity:2,phase:2,t:none”

    Worked fine with all Modsec 2.6x

    Any solution?

  3. I’ve run into a small problem like I can see many others have.

    When running:
    maldet -m users

    I get:
    maldet(12709): {mon} starting inotify process on 23 paths, this might take awhile…
    maldet(12709): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

    When running:
    /usr/local/maldetect/inotify/inotifywait

    I get:
    /usr/local/maldetect/inotify/inotifywait: error while loading shared libraries: libinotifytools.so.0: cannot open shared object file: No such file or directory

    But when running:
    /usr/bin/inotifywait

    It gives what it’s suppose to do:
    No files specified to watch!

    This is a Debian x64 6.0.5 (Squeeze) installation.

    Do you have any advice to give, everything is appreciated?

    1. In the file /usr/local/maldetect/internals.conf, change the line that reads:
      inotify=$inspath/inotify/inotifywait

      To:

      inotify=/usr/bin/inotifywait

      Or, delete the maldetect inotify binary and symlink your system inotify binary over it, either option should be sufficient.

  4. Hi Ryan,
    When running maldet in ionotify mode, it writes an empty file named “0” in the directory it’s executed from. It’s not a major problem, but i’m finding these “0” files all over the place.
    I’m running this on Debian 6.x on a 64-bit system, and running maldet in monitor mode with a filelist.

  5. I would be interested in running maldet in real-time mode and have it watch the folder that contains all www apache roots on my server (Debian) namely: /var/www but I read up a bit on Inotify and found this statement which I think means that it does not recursively monitor all folders within.

    Inotify does not support recursively watching directories, meaning that a separate inotify watch must be created for every subdirectory.

    Did I understand this right? If I get it right, this will not work: maldet –monitor /var/www right?

    So if I would i.e. add every single www root it still would not monitor subdirectories so what is the point? I mean most CMS out there have several subfolders and I certainly can’t add every single folder/subfolder for every web site I host.

    If this is the case, I would have to rely on the cron scan but here again, I am unsure about how to edit the cronjob to only scan /var/www and /tmp as those are the only folders where the users the web processes run under can access.
    So I’ll wait for your next version which I understand will include na easier way to specify the scan paths for the cron job.

    1. That is not the case, inotifywait from the inotify-tools package contains a recursive option:
      -r|–recursive Watch directories recursively.

      This will recursively watch directories defined to be monitored and start watching any newly created paths within the monitoring path. This flag is used by LMD in executing inotifywait processes.

  6. Great product.
    Is there any way to put maldet into update-only mode for automation? I want it to keep it up-date in terms of definitions, etc, but not run any scans at all unless they’re run on command-line (no inotify monitoring, etc).
    At the moment if I manually make changes to the cron job that sometimes seems to get overwritten and reactivate regular scanning again.

    1. You can empty the contents of /etc/cron.daily/maldet and then set it chattr +i so that it will not get overwritten on updates. That said, in the next release I will add a configuration variable and/or variable to the cronjob to control execution.

  7. Oh and another suggestion, make it possible to set the paths for the daily scan job in the configuration file so I don’t have to adjust the cron script itself

  8. Is it possible to check the directory that is going to be checked for possible directories that are out of scope of the maxdepth setting and then warn or even error if the found depth is higher then maxdepth?
    Otherwise we’d not be checking parts of our directories without us knowing..
    ( find .|awk -F/ ‘{print NF}’|sort -n|tail -1)

  9. I’ve not been able to get maldet to clean anything. It ALWAY resets the base64 file, even if I chattr +i the thing.

    Also not quarantining anything. Creates .info files, but infected files remain in users folder.

    Totally useless other then as a reporting tool

    1. This is certainly not the case for most users and sounds like an issue in your setup. If you detail a bit about your deployment perhaps we can pinpoint the issue.

  10. Hi all,

    Today (march 7 2012) I downloaded LMD 1.4.1 with wget http://www.rfxn.com/downloads/maldetect-current.tar.gz to 2 systems (1 local and 1 hosted server).

    On the remote system I immediately did a scan and it found that gzbase64.inject.unclassed was infected, which was put in quarantine

    Now I am quite a newbe and maybe I did something wrong so I dont want to create a panic, but this file was found in maldetect-1.4.1/files/clean/gzbase64.inject.unclassed

    Therefore to me it looks like that this file was included in the LMD download because i did not download or install anything else

    Is gzbase64.inject.unclassed indeed infected with malware as it was detected by LMD itself as such?

    If so what is my situation? am I infected now, without nowing, because the installation of MLD is done with sudo right?

    Another strange thing is that my local installation went without errors, but when I for instance do sudo maldet -u I get ‘command not found”, also when I do it it the maldetect dir. Maldet does not run at all!

    So am I doing something wrong or is LMD infected?

    1. Hi, Jan. I’ve just installed LMD for the first time, but since no one else has responded to your comment, I thought I would. Just keep in mind I’m not an experienced LMD user.

      If you look at the contents of the file in question, you’ll see it’s actually a sed command that uses regular expressions to find and clean certain generic ways of injecting hidden malware instructions into PHP files. Because it contains the signature of that type of malware injection, LMD detects it as malware. It isn’t.

      I’m a new user, but so far I have made a point of manually verifying each reported infection. I use LMD to recursively scan user home directories since that’s where the real vulnerability is (if I’m uploading infected software or not securing my server in general, LMD is probably too little and too late!).

      I personally would not think it wise to include the LMD directory in LMD’s malware scans, so, yes, I think you’re doing something wrong. If malware were to infect LMD itself, odds are it would alter LMD not to detect it, so there’s not much point in this. I generally think it’s not smart to try to detect and purge infections using an infected tool or framework.

      See also section 13 of the README file distributed with LMD. It’s always a good idea to “RTFM” before posting questions publicly. 🙂

      While I would encourage you to post any response you might have as a reply here, I honestly may not see it. If you want to be sure of getting my attention, you can also connect with me on Twitter. My Twitter handle is @sustainablylush.

  11. Hi Ryan:

    For the next update, version, etc., can you put a cap and some form of clean up for /usr/local/etc/maldetect.bk* files?

    Those directories and files can quickly fill up a disk if not manually managed (it is not a huge amount of work — typically checking once every four to eight weeks, but still… automation is nice).

    Thank you!

  12. Hello!

    Thanks a lot for the wonderful script, we are now using it to scan out customers’ websites for malware each night.

    The only thing which we would really like to have is a nightly report via email (regardless if malware is found or not).
    When we receive an email, we know that lmd is working fine.

    Else we would have to check every day manually in the logs if lmd has run…

    That would be a _huge_ timesaver, because the worst thing is when you THINK that your system gets scanned but for some reason it doesn’t 😉

    Thanks a lot and best regards,

    Chris

    1. I will look into adding an option to enable this however by default LMD only alerts when it has found something, as for example if you had hundreds of servers it would be very noisy to receive empty emails stating nothing more than LMD found no malware.

  13. I’ve been using LMD for some time and love it, with one minor issue (an annoyance really). When you run “maldet -d” to force an update at the command line, if there is a new version of the application available, it downloads the new version, and reinstalls it in /usr/local. If you have maldet configured to run from an alternate location (for example, setting inspath=/opt/maldet in the main maldet script), the update attempts to put a new install on the system instead of updating the existing installation (due to “inspath” being hardcoded in install.sh).

    Passing an installation path to install.sh then updating the maldet script with this new path would be an ideal solution.

    Looking forward to your thoughts on this and thanks for a great scanning solution.

    JN

  14. Hi ryan. I used your cool Maldetect a week ago, and it saved my hosting reputation. So I donated my $10.
    I decided to run it on a daily basis from crontab, so I put on purpose an infected file Maldetect found a week ago on a specific folder, just to be sure that it runs fine. Guess what, it doesn’t find it anymore!
    Very strange. Also, I started to get a strange “find” error, as detailed below:

    [email protected] [~]# /usr/local/maldetect/maldet -a /home/sch
    Linux Malware Detect v1.4.1
    (C) 2002-2011, R-fx Networks
    (C) 2011, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(9491): {scan} signatures loaded: 8873 (7009 MD5 / 1864 HEX)
    maldet(9491): {scan} building file list for /home/sch, this might take awhile…
    /usr/bin/find: paths must precede expression
    Usage: /usr/bin/find [path…] [expression]
    maldet(9491): {scan} scan returned zero results, please provide a new path.

    What that “/usr/bin/find: paths must precede expression” would be?

    Thanks for your good work

    1. LMD scans for file changes/modifications in the last 24hr so if you simply moved the file into the path it’s modification/creation date is likely still reflective of when it was originally created.

      Please run the following:
      sh -x /usr/local/maldetect/maldet -a /home/sch 2> /root/maldet.debug

      Then send me the an email to ryan at rfxn.com with the attached maldet.debug file.

    1. Peter,
      You can place the file names or the paths to the directories in question into the /usr/local/maldetect/ignore_paths file to prevent these files from being scanned. Or, you can place the base64.inject.unclassed string into ignore_sigs to ignore the entire rule class.

  15. I see there are a number of directories with the names maldetect.bk12345 in /usr/local/ (where 12345 are various numbers), are these archives that can safely be removed?

  16. Hi Ryan,

    Thanks for the hard work and making such great software, we’ve just sent over a donation to show our appreciation.

    Quick question:

    On some of our customer servers we’ve customized /etc/cron.daily/maldet to scan in specific paths not included in the defaults you provide.

    It looks like when the software is automatically upgraded the changes we make are wiped out in /etc/cron.daily/maldet and it no longer scans the correct directories.

    Can we chattr +i /etc/cron.daily/maldet so it is not modified in the future, or will that potentially break new updates? Any other options?

    Thanks in advance.

    -PJF

    1. Setting the cronjob chattr +i will not break anything. That said, I will work on the update function to have it detect when the cronjob has been modified and preserve it across upgrades.

  17. Ryan, On the inotify monitor process, I have yet to see it stay up on a server Seems like after so long or a few days it dies out. What is the cause of this and how to prevent it?

    You can catch me on aim – procrace and I can show you some servers I have seen this happen on

  18. Need Help Please – Web hosting account suspended due to false positives from seo.classes.php

    I believe my web host supplier is runing your program and after loading up an oscommerce addon to my site my hosting account is automatically suspended due to a false positive from the seo.classes.php file?

    I’ve taken it up with the host two days in a row now but they run a low cost model and aren’t big on customer service that requires any manual adjustments. I appreciate the fact that they probably have thousands of clients on their servers, but surely there is a way they can easily allow this file to not be automatically quarantined and the account suspended. It doesn’t help my online rep.

    I would also suggest that the “Account Suspended” text be changed to something like “Site Offline”. They are both technically correct but the latter is substantially less damaging.

    Any advice would be appreciated!

    1. LMD provides a number of facilities for ignoring false positives including an ignore_paths file which a full path to the false positive file can be placed in or an ignore_sigs file where problematic signatures can be ignored entirely. I would recommend you advise your host to place the full path to your file into /usr/local/maldetect/ignore_paths and it should take care of the issue. What host are you using if I may ask?

  19. Thanks for this excellent product!

    I found a threat that wasn’t detected by maldet.
    I tried to upload it with the -c option but I get:

    550 Can’t change directory to incoming: Permission denied

    Any ideas?
    Thanks!

  20. Hi Ryan,

    thanks for working hard on the script 🙂

    I’m on Debian Squeeze (64bit) and am still encountering the same problem as the poster of comment #106, maldet reports that says that there are no inotify processes found.

    {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

    The log stays empty and when i manually execute inotifywatch without arguments it seems to run and complains that there are no files specified to watch.

    I’ve manually modified maldet to not grep for /home in /etc/passwd but for /var/www (which is my home dir for webhosting users) and it did detect and set inotify to a more reasonable value (instead of 0), however it still reports there are no inotify processes found.

    Do you have an idea on how to fix that?

  21. Just wanted to say thanks. My server was hacked a couple of days ago, and I knew something was up… then I got the bandwidth bill: £180!!! Your program pinpointed exactly what was up and quarantined it.

  22. Good day, Ryan:

    I hope you and your family are doing well.

    We’ve received two separate reports from two different servers showing:

    FILE HIT LIST:
    {HEX}php.exe.globals.383 : [full path to a directory]

    Where it shows scores of directories, but no individual files.

    Should I be concerned?

    How would I further diagnose this issue?

    Thank you.

  23. First off, great tool!!

    Here’s my uname -a

    Linux xxxxxxxx 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux

    Couple of bugs I found.

    1. tlog doesn’t like /bin/sh under Ubuntu 10.04, changing to /bin/bash seems to fix that.
    2. Including and using 32bit bins for inotifywatch and its library really doesn’t help those of us using x64 🙁

    Any change in an updated version including some logic to use the system version of inotifywatch?

    1. The tlog issue has been fixed and pushed live, sorry for the oversight.

      As for the inotify binaries, in 1.4.2 I will add x64 binaries along with a simple check to determine system arch and use the appropriate binaries. I will also add a check to see if the system has its own copy of inotifywatch in $PATH and if so use it.

  24. Hi, thanks for this LIFESAVING application! Your excellent work is amazing and so useful to thousands of people, and I truly appreciate it.

    I was just wondering… I dont see options for quiet/verbose. I think this generally standard unix feature would be quite helpful…

    For example, I have a nightly cron with email report, something like this:

    maldet -d
    maldet -u
    maldet -r …

    and the email is so long with unnecessary info.

    I wish there was a way to just have it report the minimal info, without the repeated headers and emails…
    something like: maldet -d –quiet
    or –noheader

    What do you think?

  25. Installed this anti-malware, and I’m happy effect. However, it is difficult to cope with the recent malware injection generating htaccess files. I hope that this will be improved.

  26. hello, nice tool and great work. is there a way to build own hashes, for example i need to find files with binaries or bashes:

    the last server ist hacked by an unsecure apache with root kit spl.sh :

    #!/bin/sh
    umask 0
    LD_AUDIT=libpcprofile.so PCPROFILE_OUTPUT=/etc/ld.so.preload ping
    echo “[+] creating /tmp/getuid.so”
    echo “int getuid(){return 0;}” > /tmp/getuid.c
    gcc -shared /tmp/getuid.c -o /tmp/getuid.so
    echo “/tmp/getuid.so” > /etc/ld.so.preload

    So i want to build an hash to parse all files with #!/bin/ or for binaries:

    file /bin/bash -> search/scan for ELF \d\d-bit

    So which files i have to touch for own hashes ?

    hex.dat
    md5.dat
    rfxn.hdb
    rfxn.ndb

    so for example want to find files with “#!/bin”

    what i have to do ?

    md5(#!/bin) -> touch md5.dat and/or rfxn.db ->

    0b4962363758288f8f7e0d9cdb413d92:88:{MD5}bash.inject.unclassed.1

    0b4962363758288f8f7e0d9cdb413d92:{MD5}bash.inject.unclassed.1

    do we need both hex and md5 for this ? thanks for any help with own definitions cause i think not everyone wants to parse #!/bin

  27. never mind this, /tmp actually had 40k files.
    You should however add a feature that allows me to scan only php files in all folders recursively
    something like
    maldet -a /home/user/public_html/?/?.php

    that command only digs in one level deep.


    Binoy:

    I am trying to scan a user directory and it reports there are 42500 files to scan, which will obviously take a long time
    The number of files in user directory is only close to 5000 (using find . -type f )
    Nm this

    The number of files in /var/tmp is 1800
    /tmp is symlink of /var/tmp
    where is maldet getting 42500 files from ? and how to ignore them.
    Can you provide a full list of all the directories that maldetect automatically add.
    It would be helpful if maldet ignores these directories if they were added to ignore_paths


    Binoy:

    I am trying to scan a user directory and it reports there are 42500 files to scan, which will obviously take a long time
    The number of files in user directory is only close to 5000 (using find . -type f )
    The number of files in /var/tmp is 1800
    /tmp is symlink of /var/tmp
    where is maldet getting 42500 files from ? and how to ignore them.
    Can you provide a full list of all the directories that maldetect automatically add.
    It would be helpful if maldet ignores these directories if they were added to ignore_paths

  28. I am trying to scan a user directory and it reports there are 42500 files to scan, which will obviously take a long time

    The number of files in user directory is only close to 5000 (using find . -type f )
    The number of files in /var/tmp is 1800
    /tmp is symlink of /var/tmp

    where is maldet getting 42500 files from ? and how to ignore them.
    Can you provide a full list of all the directories that maldetect automatically add.
    It would be helpful if maldet ignores these directories if they were added to ignore_paths

  29. This looks like an excellant little tool! All works well with -a, malicious files are picked up and see these in the report. Where using monitor and malicious content is uploaded I’m seeing the relevant inotify in the event_log but seemingly is not detected as a bad file (Not logged nor do I get an email about it when I run the cron). Does anyone have any suggestions? CentOS 5.7, CloudLinux kernel.

  30. Hi,
    is there any chance to protect the /etc/cron.daily/maldet from changing by Updateprocess? I’m on Debian and hafe to use an other tool for the clean the tmps and other Paths for my home Users.

    PS: The function ‘ignore_sigs’ still wont work 🙁

  31. I have put my server scan using the command
    maldet –scan-all /home?/?/public_html &

    & click on close button, now how to check how may files scanned ??? & what maldet is currently doing ??

  32. Hello,

    how could i get the ignore_sigs file working?
    The hit is:

    I tested the entries

    gzbase64.inject.unclassed
    gzbase64.inject.unclassed.14
    {HEX}gzbase64.inject.unclassed.14
    and
    {HEX}gzbase64.inject.unclassed.14:0:*:677a696e666c617465286261736536345f6465636f646528

    But all wont ignored.

    Thank you!

  33. Today I tried to submit a suspect file (maldet -c) and got errors:

    I didn’t know if you would want me to post them here. Please let me know.


  34. Sam:

    I think maldet does not support 64-bit
    my end
    Linux hostname 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
    any soluatins to fix the
    maldet(3209): {scan} scan returned zero results, please provide a new path.
    error ?


    Sam:

    Also use
    Linux 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
    Centos 5 64-bit
    also showing
    maldet(10957): {scan} signatures loaded: 7903 (6054 MD5 / 1849 HEX)
    maldet(10957): {scan} building file list for /home/newuser/, this might take awhile…
    maldet(10957): {scan} scan returned zero results, please provide a new path.
    while I’m sure there is many files in /home/newuser folder
    any help?


    Sam:


    Ryan M.:
    if you have same problem you can use clamAV to scan files using the maldet database

    example:
    # /usr/bin/clamscan -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb -r –infected /home/*

    as it described in: http://shannaq.com/w/Maldet_scan_returned_zero_results,_please_provide_a_new_path

    Sam what OS are you running?

    I’m using Linux 2.6.18-238.12.1.el5PAE #1 SMP Tue May 31 14:02:45 EDT 2011 i686 i686 i386 GNU/Linux
    Centos 5

  35. I found a file that did not get picked up by the scanner. Is their a way to submit files so they can be reviewed and added to list to catch?

    1. you can use the command line :

      maldet -c filename.ext

      you need to change the filename to the file name you have in your server like flood.pl .

  36. Just something I have noticed thought I would see if anyone else had the same issue.

    Ive been testing instances on this in a setup similar to the authors. Testing on 4 machines at the moment, CentOS 5.6, Apache rar rar you know the drill.

    Ive had a few issues now where I have come back to full /usr/local partitions cause maldet has gone nuts and starting dropping coredumps all over the place. I believe its occurring when the machine starts swapping as in both cases it has occurred that was all that was really going on at the time.

    I have saved two of the core dumps for now, I have yet to look at them. Just a quick query really to see if it had occurred for anyone else.

    1. Just going through and grabbing when I can from one of the dumps.

      Virtual memory exhausted.
      TERMCAP
      /etc/termcap
      tgetent: warning: termcap entry too long
      virtual memory exhausted

  37. Perhaps you could add more default control panel settings to /etc/cron.daily/maldet? This is what we do:

    # check for plesk
    elif [ -d “/etc/psa” ] && [ -d “/var/lib/psa” ]; then
    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
    /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1

  38. I think maldet does not support 64-bit

    my end
    Linux hostname 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

    any soluatins to fix the
    maldet(3209): {scan} scan returned zero results, please provide a new path.
    error ?


    Sam:

    Also use
    Linux 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
    Centos 5 64-bit
    also showing
    maldet(10957): {scan} signatures loaded: 7903 (6054 MD5 / 1849 HEX)
    maldet(10957): {scan} building file list for /home/newuser/, this might take awhile…
    maldet(10957): {scan} scan returned zero results, please provide a new path.
    while I’m sure there is many files in /home/newuser folder
    any help?


    Sam:


    Ryan M.:

    Sam what OS are you running?

    I’m using Linux 2.6.18-238.12.1.el5PAE #1 SMP Tue May 31 14:02:45 EDT 2011 i686 i686 i386 GNU/Linux
    Centos 5

  39. Hi,

    Im running into 2 problems, i hope you can help me out.

    First off is that when i run “maldet -a /path” it will not exclude the signatures from “ignore_sigs”.
    The second is a error in the logs when starting the monitor: “/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.3356: No such file or directory”

    I am using version 1.4.0 on Debian Lenny with ClamAV enabled.

    -Marcus

  40. is it possible to integrate maldet with modsecurity as a file upload scanner, as we can do with clamscan and modsecurity? seems it will be much more effective as a file upload scanner with maldet+modsecurity against clamscan+modsec

  41. Also use
    Linux 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:22:04 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

    Centos 5 64-bit
    also showing
    maldet(10957): {scan} signatures loaded: 7903 (6054 MD5 / 1849 HEX)
    maldet(10957): {scan} building file list for /home/newuser/, this might take awhile…
    maldet(10957): {scan} scan returned zero results, please provide a new path.

    while I’m sure there is many files in /home/newuser folder

    any help?


    Sam:


    Ryan M.:

    Sam what OS are you running?

    I’m using Linux 2.6.18-238.12.1.el5PAE #1 SMP Tue May 31 14:02:45 EDT 2011 i686 i686 i386 GNU/Linux
    Centos 5


  42. Mark Jones:

    I have installed this on an OES2 server (basically a SLES 10SP3 server). When I try and scan im getting zero results returned although there are files in the folders im trying to scan. for example:
    Web_Srv1:/home/mjones # /usr/local/maldetect/maldet -a /home
    Linux Malware Detect v1.3.6
    (C) 2002-2010, R-fx Networks
    (C) 2010, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2
    maldet(1765): {scan} signatures loaded: 4426 (2809 MD5 / 1617 HEX)
    maldet(1765): {scan} building file list for /home, this might take awhile…
    maldet(1765): {scan} scan returned zero results, please provide a new path.
    Not sure what im doing wrong.
    Thanks
    mark

    I’m getting the same error

    /usr/local/maldetect/maldet -a /home/
    Linux Malware Detect v1.4.0
    (C) 2002-2011, R-fx Networks
    (C) 2011, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(17431): {scan} signatures loaded: 7844 (5995 MD5 / 1849 HEX)
    maldet(17431): {scan} building file list for /home/, this might take awhile…
    maldet(17431): {scan} scan returned zero results, please provide a new path.

    while I’m sure the /home folder contain files
    what is the problem?

  43. Hi,

    I have enabled inotify on one server and i have executed maldet –monitor users

    and i set path= public_html in conf.maldet, However inotify scans each and every partitions.

    you can see following log..

    /var/tmp/clamav-065fa4c0c288744093c06ba0ffd01bdf/notags.html MODIFY 06 Jun 23:54:30
    /usr/local/cpanel/logs/access_log MODIFY 06 Jun 23:54:32
    /usr/local/cpanel/logs/access_log MODIFY 06 Jun 23:54:34
    /var/tmp/clamav-30cdd02f7b58755698f4842d3180d47a CREATE,ISDIR 06 Jun 23:54:36

    /home/sakol/public_html/cgi-bin/sakol/shopping_carts/9192975.6177_TRANSLOG MODIFY 06 Jun 23:54:38

    1. There is a subset of paths that are included automatically into the users inotify mode along with other modes, to be monitored for activity as they are commonly abused. Such paths include /tmp, /var/tmp and /dev/shm .

  44. maldet(3045): {glob} processed 2 signature ignore entries


    Sergey:

    or maldet -a /path not use conf.maldet?


    Sergey:

    Hi, i used maldet.
    I added
    base64.inject.unclassed
    gzbase64.inject.unclassed
    to ignore_sigs, but maldet steel detect and remove files
    maldet version 1.4.0

    1. What are the exact rules that are causing problems? You can also use the ignore_paths file to ignore specific paths or files that are repeatedly the source of false positives.

  45. after updating to 1.4.0 the scan report says it found many files but it don`t quarantine it or delete it , and i have the option in config set to 1= quarantine .

    please fix this in 1.4.1 , the issue exist in 5 different servers .

    1. We are unable to reproduce this issue and there are no others reporting similar issues, please email ryan at rfxn.com with a copy of your conf.maldet.

  46. Hello,

    We have enable inotify monitoring and I am unable to generate the daily report, is there any idea of it? I have check the event_log there is quarantined items.

    Besides, it’s OK to submit the false positive file by maldet -c ? We have submit a seo.class.php which seem identify as false positive.

    Thank again! It’s great tools.

    1. The monitoring mode should send off an alert once a day when threats are found, it is dispatched as part of cron.daily which runs typically at 4AM on most servers. Was the quarantined event found before or after 4AM? if after you can then expect the alert in the following mornings cron run. You can manually invoke an alert by running the following command:
      /usr/local/maldetect/maldet –alert-daily

      You should also verify that a valid email address is set in the conf.maldet config file.

      1. Ryan, Thanks for your reply.

        I have verify the email address was correct and email report was able to delivery while using folder scanning function, but not working on the daily report.

        Is there any debug option I can check with it please?

  47. We installed LMD on few servers and it’s working great. Recently one of our sites uploaded with “Syrian Shell” based on PHP. LMD is not able to detect it. So we sent shell script to you. Please generate signature for that.

  48. Hi I have a website that was recently hacked. So was delighted to see this product. As I thought I could use it to do offline scans if I download the website files.

    Placed on the server was c100.php, r58.php, and r57.php. I downloaded the entire site and scanned the specific directory that the above three files were in with maldet, but it did not detect them.

    I see you have above that some of these scripts are detectable. What am I doing wrong.

    Thanks.

  49. after updating to 1.4.0 the scan report says it found many files but it don`t quarantine it or delete it , and i have the option in config set to 1= quarantine .

    please fix this in 1.4.1 , the issue exist in 5 different servers .

    1. We are not seeing this reported by anyone else or on the over 250 servers that I personally run LMD on, please consider a fresh reinstall. Do an rm -rf /usr/local/maldetect* then download the latest build and do a clean install that way.

  50. Hi all,

    please is there any project Actively to scan and remove malware , trojan, or any threat on all file uploads within user accounts regardless of how they were uploaded

    please advise me .

  51. I have some false-positives that are identified as {SA}stat.strlength. I added stat.strlength to ignore_sigs, but maldet is still identifying the files and send the email alert as a result.

    Is there something else other than adding the signature to that file that I need to enable so that it is honored? I also tried adding the {SA} part, but it made no difference.

    Thanks,

    John

    1. Please run maldet -d or –update-ver to get the latest build. There was an issue in the build that went out during auto updates last night that enabled a new feature by default, string_length_scan=1 in conf.maldet, read the description in the conf file regarding it for more details.

      So, basically just run maldet -d and it will update your install and set the feature disabled. The reason you are unable to ignore it through the standard ignore_sigs file is that it is not an individual signature but an independent scanner routine apart from the signature files.

    1. Not all matches within the base64.inject.unclassed category can be cleaned. Please go ahead and submit a few of the files with lmd -c and i will have a look.

  52. hi, when i try to install i get the following error. thank you for your effort 🙂

    ~/maldetect-1.3.9$ sudo sh install.sh
    Linux Malware Detect v1.3.9
    (C) 2002-2011, R-fx Networks
    (C) 2011, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    exec link: /usr/local/sbin/lmd
    cron.daily: /etc/cron.daily/maldet

    .: 90: .ca.def: not found

          1. try run:
            # /usr/local/maldetect/maldet

            If that works then the issue is with the shell you are using (try run bash to spawn a bash shell) or your $PATH variable. You could try symlink maldet to /usr/sbin like so:
            ln -s /usr/local/maldetect/maldet /usr/sbin

            Or edit /usr/local/sbin and /usr/local/bin into your $PATH variable.

          2. thanks ryan it works now:) but i find it odd that i have to run it with sudo or it won’t find the command :S but with sudo everything works 🙂

  53. Hi,

    is there a way to get a short overview of the scan result as an email ?

    I get only the full output of the scan, and thats not what I want.

    Thanks.

  54. Hello,
    I ran clamscan on one of our client’s vps with 800+ cpanel accounts and received 830 infected files which I quarantined to a folder.

    I ran LMD on those files and only 30 or so were detected by LMD.

    I am uploading the remaining infected files using the -c option. Is there anyway to upload multiple files (other than archiving them ? )

    I am currently using

    for i in `ls infectedfiles`;
    do
    maldet -c $i
    done

    1. These are a different kind of malware than LMD traditionally detects; HTML iframe/js injection abuses. Although LMD is capable of detecting such, the focus is on actual binary/scripted malware programs.

      16 HTML.Iframe-30
      266 Exploit.HTML.IFrame-6
      368 HTML.Nimda

      The majority of the malware uploaded by you is HTML/Iframe/JS abuses. This is not to say that LMD is not suited to this kind of malware, in fact it very much is and the cleaner engine is capable of stripping this malware from files. It is just that it is a time consuming area to maintain on top of regular updates.

      I will go ahead and make signatures and cleaner rules for these uploaded files and they will push out in the next signature update. Likewise, please use the -d option to make sure your install is currently up to date, so you are detecting threats with the latest build.

      The next release I will also see to it that the -c option can take an input file list or a directory if provided, instead of the current file-by-file upload.

  55. Hello,
    When i try to run a scan with the following command:
    maldet –scan-recent /home?/?/public_html 5

    I am getting the following errors,
    what am i doing wrong ?
    : command not found/conf.maldet: line 11:
    : command not found/conf.maldet: line 18:
    : command not found/conf.maldet: line 21:
    : command not found/conf.maldet: line 25:
    And so on..

    1. This seems like you may have typos that are breaking conf.maldet? Please consider deleting /usr/local/maldetect and performing a clean reinstall. Also, what distro and shell are you running?

      1. Indeed there where spaces between the lines, this error is solved now.
        But now i try to run “maldet –monitor users”
        and i am getting the following error:
        “)syntax error: invalid arithmetic operator (error token is ”

        What am i doing wrong ?

          1. The newest distro of LMD,
            Shell version: version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
            On CentOS 5.5 x86_64

  56. It appears maldet has stopped sending email reports after running from cron since the last signature update.
    A few lines from event_log shown is worked before signature set (201103309634) but not after.

    Mar 30 04:02:20 peter maldet(4446): {scan} building file list for /domains/*/*/www of new/modified files from last 7 days, this might take awhile…
    Mar 30 04:02:33 peter maldet(4446): {scan} file list completed, scanning 41046 files…
    Mar 30 04:02:40 peter maldet(4446): {hexstring} malware hit {HEX}gzbase64.inject.unclassed.14 on /domains/a/somedomain.com/www/phpspellcheck/core/php/engine.php
    Mar 30 04:50:32 peter maldet(4446): {scan} scan completed on /domains/*/*/www: files 41046, malware hits 1, cleaned hits 0
    Mar 30 04:50:32 peter maldet(4446): {scan} scan report saved ‘maldet –report 033011-0402.4446’
    Mar 30 04:50:32 peter maldet(4446): {scan} quarantine disabled; set quar_hits=1 in conf.maldet or run ‘maldet -q 033011-0402.4446’ to quarantine results
    Mar 30 04:50:32 peter maldet(4446): {alert} sent scan report to [email protected]****.com
    … truncated …
    Mar 31 04:02:44 peter maldet(25027): {scan} building file list for /domains/*/*/www of new/modified files from last 7 days, this might take awhile…
    Mar 31 04:02:59 peter maldet(25027): {scan} file list completed, scanning 8646 files…
    Mar 31 04:12:28 peter maldet(25027): {scan} scan completed on /domains/*/*/www: files 8646, malware hits 0, cleaned hits 0
    Mar 31 04:12:28 peter maldet(25027): {scan} scan report saved ‘maldet –report 033111-0402.25027’
    … truncated …
    Mar 31 13:00:15 peter maldet(26209): {scan} building file list for /domains/*/*/www of new/modified files from last 7 days, this might take awhile…
    Mar 31 13:00:28 peter maldet(26209): {scan} file list completed, scanning 6956 files…
    Mar 31 13:09:13 peter maldet(26209): {scan} scan completed on /domains/*/*/www: files 6956, malware hits 0, cleaned hits 0
    Mar 31 13:09:13 peter maldet(26209): {scan} scan report saved ‘maldet –report 033111-1300.26209’

    Any ideas on how to get this feature back? 🙂

    Thanks for a wonderful program to btw.

    1. The maldet email reports are only sent if there is a recorded malware hit or cleaned event, from your logs it would appear as though neither is the case:
      Mar 31 13:09:13 peter maldet(26209): {scan} scan completed on /domains/*/*/www: files 6956, malware hits 0, cleaned hits 0

      So in short, maldet is simply doing what its intended to do, only send the email alert when it has encountered an event.

  57. Can this be installed on shared servers?

    I have changed the inspath to my local dir but it gives errors on creating symbolic links, read only on /usr/lib/, and finally /usr/local/maldetect/conf.maldet not found

    thanks for any help

    1. It is not really intended to be installed in a non-root environment, please ask your web host to install it. However, I will look into making this possible and a supported feature shortly.

  58. There is no way to run monitor on 64-bit server – check this

    file files/inotify/inotifywait
    files/inotify/inotifywait: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped

  59. Hey,

    Great tool, but have problem with monitor element, everything seems ok but i cant run it properly:

    Linux xxx 2.6.26-1-686 #1 SMP Fri Mar 13 18:08:45 UTC 2009 i686 GNU/Linux

    Inotyfywait works:
    /usr/local/maldetect/inotify# ./inotifywait
    No files specified to watch!

    but after:
    maldet -m /home/www/XXX/www/

    a get this error:
    maldet(8245): {mon} set inotify max_user_instances to 128
    maldet(8245): {mon} set inotify max_user_watches to 46080
    maldet(8245): {mon} added /home/www/XXX/www/ to inotify monitoring array
    maldet(8245): {mon} starting inotify process on 1 paths, this might take awhile…
    maldet(8245): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
    Nothing in log tho

    1. Please submit this file for review with the -c option
      i.e: maldet -c /path/to/file/sql.php

      This will allow me to review and hash the file for future detection, thank you.

    1. False positives are usually a case of LMD detecting poor coding practices in PHP scripts, you can set signatures that become problematic for false positives to be ignore through the signature ignore file, review the README file for further details.

  60. Hello,

    Thanks for this great software.

    I can monitor specific users and files at time using the real time monitoring, right? but If I want to stop a ionotify watch for specific user or file, how can I do that? the option -k will kill all the tasks, right?

    Thanks a lot!

    1. There is no option to specifically terminate individual inotifywait processes, you would need to do this manually with the ps command and terminate the intended process id for the process you are looking for.

  61. Minor detail, but I request/suggest this change to the view_report() section of the main maldet executable;

    if [ “$rid” == “” ] && [ -f “$sessdir/session.last” ]; then
    rid=`cat $sessdir/session.last`
    $EDITOR $sessdir/session.$rid
    elif [ -f “$sessdir/session.$rid” ]; then
    $EDITOR $sessdir/session.$rid

    Essentially, I’m requesting that you replace ‘nano’ with ‘$EDITOR’ or ‘$VISUAL’ so that sysadmins (like myself) who rely on vim (or specify an editor in .bashrc or .bash_profile) can use the correct editor via maldet –report

  62. Is there a way we can submit things to you?

    I have an encoded version of the web shell.
    I have found and a encoded JavaScript file that was placed on my server that LMD does not detect. Would that interest you?

  63. The hackers im dealing with, execute php/js code injections AND change the timestamp on the files they touch to be far in the past to avoid “time delta” detection that you mentioned.

    So scanning recent files with fail.

    Until you add the ability to filter file types, I will just recursively copy all php and js files to a temporary directly and run maldet on that directory to bypass all the image scans.

  64. Great work! Really helped me find the last issues on my servers.

    But is there anyway to tell maldet to NOT scan certain file types like .jpg?

    The reason is, it takes 3 full days for maldet to scan my server and thats on a SSD drive! Its just too slow to do a daily scan with this many image files.

    If I could tell it to scan .php and .js files only, I could then scan more frequently, and only do a full scan including images once in a while.

    Im way too scared to attempt to use the inotify_watch feature of maldet, I think it would blew me out of the water resource wise with this many files to monitor.

    Any ideas on how I can use this tool better with the above issues? Donation on the way….

    1. Jake,
      There is no need to scan the entire server daily, on installation maldet installs a cronjob in /etc/cron.daily/ that will scan only the most recent file modifications and additions to the server in the last 24h, these scans on even the busiest of servers should take very little time and it allows maldet to maintain a baseline protection on the server from the point of installation.

      There is at present no way to ignore files by extension but I will work on adding that as a feature very soon. I understand the scan times can be tediously slow when scanning an entire server, there is allot of work still to be done on scan performance but a contributing factor is also that we hash compare files against known threats and then also analyze the hex payload of files against the threat database, this two stage process is not the fastest but it is incredibly accurate.

  65. Ryan :
    Thank you it’s great project keep the good work up .
    when testing ur project to compare to our current one notice something appear to be bug
    when trying to quarantine files . some of them failed because file name include space
    Ex:/home/work/shell.1/PHP Remote Explorer.php
    also some shells captured by clamav cannot be captured by LMD 🙁 i wish you integrate more sigs ..
    Ex:
    /home/work/shell.1/SecurityCriminals.php: PHP.Shell FOUND
    /home/work/shell.1/mass.txt: Perl.Defacer FOUND
    /home/work/shell.1/phpspy.php: PHP.PhPen.C FOUND
    /home/work/shell.1/phpjackal1.3.php: JS.Crypt-1 FOUND
    /home/work/shell.1/r57shell2.php: PHP.Shell-10 FOUND
    /home/work/shell.1/uploader.php: JS.Crypt-1 FOUND
    Thank you ,

    1. Hello,
      The project has a over 5,000 signatures and many of which no other projects currently detect, however there is situations where ClamAV will detect things that are not yet in the LMD project and similarly ClamAV misses things that are in the LMD project, it works both ways. I try to share contributions and signatures with the ClamAV team and in turn I try to keep current on new malware signatures they release as well but its a constant struggle and sometimes things are missed. The best thing you could do in these situations is use the “-c” flag to send files that are malware or suspected malware to the rfxn.com servers and we will hash and signature them for inclusion into the database i.e: maldet -c /home/work/shell.1/SecurityCriminals.php.

  66. I had a similar error as some previous posters. When trying to start the monitor I would receive

    “{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.”

    The reason for this was the ‘max_user_watches’ variable was being set to 0.

    {mon} set inotify max_user_instances to 128
    {mon} set inotify max_user_watches to 0

    The code for setting users is ‘users_tot =’cat /etc/passwd | grep -ic home’

    inotify_user_watches=$[inotify_base_watches*user_tot]

    Changing the calculation for users_tot fixed the ‘no processes’ problem. Check to see, if like myself, your /etc/passwd has no instances of home.

  67. im excited to try this, but I’m sorry, but I just cant simply find anything that tells how to use this. Nothing on this site and nothing in the readme. And I cant find anything that talks about how to install it or what really to do. Any kind of reference to installation or usage would be really great.

  68. Hi Ryan,

    I just noticed that real time monitorig stops when the file inotify_log reaches 2 GB. Is there a fix for this ?
    Or, I could just make a little script, put it in cron, to kill maldet, delete the file and start maldet again ?

  69. Hi,
    Very interesting tool that we’are adding to our collection of anti-bad-guys scripts. One question though, we were dealing today with a specific Joomla hack where a 1×1 frame gets injected in indexes, and LMD fails to detect it. I undertstand the idea as that kind of code *could* be legitimate, but is there a way for us to add a custom signature for it to detect ?
    Keep up the good work !

    1. Please check out the cleaner rules under /usr/local/maldetect/clean/ , generally speaking you could make a cleaner rule and associated signature that detects the offending iframe code and cleans it from files. Please email me ryan#rfxn.com a sample of the iframe code and I would be glad to add the rules for you.

  70. Hello and thank you for reply.
    I have access to physical node and I’ve set up a high value for max_user_instances.
    Now is working properly.
    Great work with this tool.


    Ryan M.:

    It seems setting sys_rawio or any other combination of capabilities with vzctl does not allow for tuning /proc entries. So, this is all a moot topic now, I think you would have to get your provider or if you control the host node, set the max_user_instances value high and it should, I believe, be reflected inside the virtual container.
    My experience with openvz is limited at best so this is all just food for thought. I would recommend simply allowing maldet to run as default, with its daily cronjob scanning the last 24h of changes on the file system.

  71. It seems setting sys_rawio or any other combination of capabilities with vzctl does not allow for tuning /proc entries. So, this is all a moot topic now, I think you would have to get your provider or if you control the host node, set the max_user_instances value high and it should, I believe, be reflected inside the virtual container.

    My experience with openvz is limited at best so this is all just food for thought. I would recommend simply allowing maldet to run as default, with its daily cronjob scanning the last 24h of changes on the file system.


    Smoge:

    “sys_rawio” should be used with caution as, according to Parallels, “assigning this capability to non-trusted Virtual Environment could lead to compromising the Hardware Node”. You can find references to this, and to what threat level this is, in VZUerGuide.pdf, which is easily obtainable.

  72. “sys_rawio” should be used with caution as, according to Parallels, “assigning this capability to non-trusted Virtual Environment could lead to compromising the Hardware Node”. You can find references to this, and to what threat level this is, in VZUerGuide.pdf, which is easily obtainable.

  73. The problem here is that you are running out of file watches, so although inotifywait starts, it eventually reaches the limit on files it is allowed to watch. You need to be able to configure the value of /proc/sys/fs/inotify/max_user_watches which maldet is trying to increase for you when it starts to prevent this issue but is unable to.

    I am not an expert on openvz but you could try granting the container rawio access and see if that helps:
    vzctl set VEID –capability sys_rawio:on –save


    Julian:

    The monitoring mode is it working in a Openvz container ?
    I have CentOS 2.6.18-164.2.1.el5.028stab066.7 and in container I get this errors:

    maldet(15610): {mon} set inotify max_user_instances to 128
    /usr/local/sbin/maldet: line 850: echo: write error: Operation not permitted
    maldet(15610): {mon} set inotify max_user_watches to 4792320
    /usr/local/sbin/maldet: line 852: echo: write error: Operation not permitted

    This is normal, from container I can not write in /proc folder. It is interesting that the inotifywait process starts, but after a while it fails.
    Any solution for this ?

  74. The monitoring mode is it working in a Openvz container ?
    I have CentOS 2.6.18-164.2.1.el5.028stab066.7 and in container I get this errors:

    maldet(15610): {mon} set inotify max_user_instances to 128
    /usr/local/sbin/maldet: line 850: echo: write error: Operation not permitted
    maldet(15610): {mon} set inotify max_user_watches to 4792320
    /usr/local/sbin/maldet: line 852: echo: write error: Operation not permitted

    This is normal, from container I can not write in /proc folder. It is interesting that the inotifywait process starts, but after a while it fails.
    Any solution for this ?

  75. As long as your not trying to maldet -a the entire file system at once, there is no problem. I would simply install maldet and let it do its regular daily scans of changes within the last 24h and it will maintain the system malware free from point of install.

    Please remember, maldet defaults to installing a cronjob that will daily check for signature updates and run a scan of all modified files within 24h and if there are any events, dispatch an email alert.


    Smoge:

    Do you think there would be any issues using Maldetect on a filesystem with 10 million files?

  76. Denis,
    When maldet is installed it also installs a cronjob that will scan the server daily for file changes within the last 24hrs, this is intended as a supplement to monitoring mode, if the cronjob detects monitoring mode running, it will issue a daily report for any monitoring mode actions, otherwise the daily manual scan will be issues for the 24hr modified files then a report if there were any hits.

    If you do run monitoring mode, you should see a single inotifywait process in the process tree, if this is not visible then monitoring mode is not working for you. To have monitoring mode start on boot, simply insert your desired monitor mode command into /etc/rc.local and it will execute on every subsequent boot. When you start maldet in monitoring mode for users (maldet –monitor users) it will monitor all user paths in addition to /tmp , /var/tmp and /dev/shm, so manually adding these paths is not required.

    As a first scan option, generally we would recommend something in the order of:
    maldet -r /home/?/public_html 7

    This will scan all user web paths for malware created within the last 7 days, on file systems with lots of files (100,000+), any larger scans could take a very long time.

    So, point in case, monitoring mode is an added feature, it is by default not required, the default and recommended setup is that maldet will daily on its own check for signature updates and scan the file system for all changes within the last 24h and send a report if there are any hits. The monitoring mode feature is still considered experimental, though it is stable the problem is that inotify support is not reliably available to all systems.


    Denis:

    Hey Ryan

    I have installed maldet on all of our centos5.5 cpanel servers. I will run a maldet -a tonight to do a thorough scan as there are 500k files on each server and that’s gonna take a while.

    Now my question relates to future monitoring options. The kernel we use (rhel/centos) does support inotify and it’s enabled in the maldet conf. However I don’t think i’ve ever seen the inotify process running

    Do we need to start maldet in monitoring mode after every server reboot or is there a better way of doing it ? Like putting “maldet -m” in an init.d folder ??

    Also would it be safe to monitor /tmp as well as entire /home ie. “maldet –monitor /home,/tmp” OR would this take too many resources since there are 500k files on /home partitions .. should I stick with simply running “maldet -r /home 2″ –

    Which would be less resources intensive and less likely to stop monitoring without us noticing eg. I’m worried that if inotify is not doing its job and I don’t notice it for a while (since there’s nothing monitoring whether it’s running) I’ll miss something important like a backdoor being uploaded

    Cheers
    Denis

  77. Hey Ryan

    I have installed maldet on all of our centos5.5 cpanel servers. I will run a maldet -a tonight to do a thorough scan as there are 500k files on each server and that’s gonna take a while.

    Now my question relates to future monitoring options. The kernel we use (rhel/centos) does support inotify and it’s enabled in the maldet conf. However I don’t think i’ve ever seen the inotify process running

    Do we need to start maldet in monitoring mode after every server reboot or is there a better way of doing it ? Like putting “maldet -m” in an init.d folder ??

    Also would it be safe to monitor /tmp as well as entire /home ie. “maldet –monitor /home,/tmp” OR would this take too many resources since there are 500k files on /home partitions .. should I stick with simply running “maldet -r /home 2” –

    Which would be less resources intensive and less likely to stop monitoring without us noticing eg. I’m worried that if inotify is not doing its job and I don’t notice it for a while (since there’s nothing monitoring whether it’s running) I’ll miss something important like a backdoor being uploaded

    Cheers
    Denis

  78. This is normal, the cleaner rules are rules that contain elements of malware in order to clean valid malware files. LMD is not designed to scan its own installation folder. There is nothing to be concerned with and there is no compromise to the installation files.


    teresa:

    Hi,
    I just downloaded and ran LMD, and it seemed to report malware within its own folders – is this normal, or did I download a compromised version?

    FILE HIT LIST:
    {HEX}gzbase64.inject.unclassed.14 : /home/tkcy/Desktop/maldetect-1.3.6/files/clean/gzbase64.inject.unclassed

    I also see under
    /usr/local/maldet/clean
    the following files:
    base64.inject.unclassed gzbase64.inject.unclassed

    Thanks,
    Teresa

  79. Hi,
    I just downloaded and ran LMD, and it seemed to report malware within its own folders – is this normal, or did I download a compromised version?

    FILE HIT LIST:
    {HEX}gzbase64.inject.unclassed.14 : /home/tkcy/Desktop/maldetect-1.3.6/files/clean/gzbase64.inject.unclassed

    I also see under
    /usr/local/maldet/clean
    the following files:
    base64.inject.unclassed gzbase64.inject.unclassed

    Thanks,
    Teresa

  80. Ryan,

    Thanks again for the script. Just wanted to let you know it caught a hack attempt for me today. Someone had managed to get a base64 encoded upload script onto our server. We wouldn’t have known without your script.

    If anyone is trying to decide if they should use this script, I give it a big THUMBS UP.

  81. hey mate great app ..quick question.

    When I manually run the app in cli, I get email report but the daily cron doesn’t send an email report, just does its thing and no email report..

    Any way to get the report from the daily crons ??

    Cheers
    Denis

    1. The daily cron will only send an email report when a malware hit is found, if there is no hits it will not send a report.


      Denis:

      hey mate great app ..quick question.

      When I manually run the app in cli, I get email report but the daily cron doesn’t send an email report, just does its thing and no email report..

      Any way to get the report from the daily crons ??

      Cheers
      Denis

  82. I am trying to get LMD to run on Mac OS X. When I initiate the command to scan a certain directory I get the following message and it freezes:

    maldet(6131): {scan} signatures loaded: 4609 (2992 MD5 / 1617 HEX)
    maldet(6131): {scan} building file list for /Users/brandon/Desktop/weekly, this might take awhile…
    maldet(6131): {scan} file list completed, scanning 5976 files…
    maldet(6131): {scan} 1/5976 files scanned: 0 hits 0 cleaned

    I see nothing special in the logfile which may indicate a problem.

    Any ideas on how to use LMD on a Mac?

    1. LMD is not yet fully supported on Mac OS X, it is a work in progress and I hope to have Mac/BSD support shortly, thank you for your patience.


      Brandon R.:

      I am trying to get LMD to run on Mac OS X. When I initiate the command to scan a certain directory I get the following message and it freezes:

      maldet(6131): {scan} signatures loaded: 4609 (2992 MD5 / 1617 HEX)
      maldet(6131): {scan} building file list for /Users/brandon/Desktop/weekly, this might take awhile…
      maldet(6131): {scan} file list completed, scanning 5976 files…
      maldet(6131): {scan} 1/5976 files scanned: 0 hits 0 cleaned

      I see nothing special in the logfile which may indicate a problem.

      Any ideas on how to use LMD on a Mac?

  83. Hi,

    It does not scan file names having “\” :-

    maldet –scan-all /home/admin/public_html/\voice.php.php
    Linux Malware Detect v1.3.6
    (C) 2002-2010, R-fx Networks
    (C) 2010, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(2594): {scan} invalid path /home/admin/public_html/voice.php.php

    The actual file name is “\voice.php.php” the back slash is part of file name.

    Thank You.

    1. You should provide LMD with an absolute directory path to the files you want to scan, then it will scan all files inside the path irrespective of special characters in the names; i.e: maldet -a /home/admin/public_html/


      Owes Khan:

      Hi,

      It does not scan file names having “\” :-

      maldet –scan-all /home/admin/public_html/\voice.php.php
      Linux Malware Detect v1.3.6
      (C) 2002-2010, R-fx Networks
      (C) 2010, Ryan MacDonald
      inotifywait (C) 2007, Rohan McGovern
      This program may be freely redistributed under the terms of the GNU GPL v2

      maldet(2594): {scan} invalid path /home/admin/public_html/voice.php.php

      The actual file name is “\voice.php.php” the back slash is part of file name.

      Thank You.

  84. Does LMD support checking /var/lib/mysql folder , as some malicious software and php shell inject files into some sites DB’s specially those of VBBulletin forums and move some parts of forum style into php shell ….

    1. It would be very dangerous to run LMD inside of /var/lib/mysql, what we could do though is create an LMD module that connects to mysql and inspects the contents of databases for signs of malicious injections. I have added this to my todo list and will explore it further for the next LMD release, thank you for your input.


      MaN oF sAdNess:

      Does LMD support checking /var/lib/mysql folder , as some malicious software and php shell inject files into some sites DB’s specially those of VBBulletin forums and move some parts of forum style into php shell ….


  85. Ryan M.:

    Add the desire maldet command into /etc/rc.local and it will start at boot time.

    newbie:Hi: If you could provide or where can find a sample let me can make a maldetect service script, let it can run when boot?Thank you

    I added it to crontab as “@reboot” and it works like charm .

  86. I have installed this on an OES2 server (basically a SLES 10SP3 server). When I try and scan im getting zero results returned although there are files in the folders im trying to scan. for example:
    Web_Srv1:/home/mjones # /usr/local/maldetect/maldet -a /home
    Linux Malware Detect v1.3.6
    (C) 2002-2010, R-fx Networks
    (C) 2010, Ryan MacDonald
    inotifywait (C) 2007, Rohan McGovern
    This program may be freely redistributed under the terms of the GNU GPL v2

    maldet(1765): {scan} signatures loaded: 4426 (2809 MD5 / 1617 HEX)
    maldet(1765): {scan} building file list for /home, this might take awhile…
    maldet(1765): {scan} scan returned zero results, please provide a new path.

    Not sure what im doing wrong.

    Thanks
    mark

  87. maldet –monitor users as well as doing the path doesn’t seem to stick. I.e. it runs, but then noting in the process monitor or where I would expect to find it in cron. This is on the latest CentOS 5.5 64-bit.

  88. We noticed that you are not at the top of the search engines for a number of your key terms. We have helped companies similar to yours to achieve top organic rankings. Please reply to this message and we will prepare a special proposal for you, to show you how we can achieve similar results for you.

  89. Hi,

    It’s being a bit weird.

    /usr/local/maldetect/inotify# inotifywait
    bash: inotifywait: command not found

    /usr/local/maldetect/inotify# ./inotifywait
    bash: ./inotifywait: No such file or directory

    But it actually does exist.

    /usr/local/maldetect/inotify# ls
    inotify_log inotifywait libinotifytools.so.0 tlog


    Ryan M.:

    This could be an issue with the static compiled inotifywait process, try execute the binary at the following path and see if it produces an error:
    # /usr/local/maldetect/inotify/inotifywait


    Jason:

    I’m also getting the same error as mp
    maldet(28915): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
    Log file is empy.
    #uname -a
    Linux hostname 2.6.29.5-grsec-hostnoc-4.2.0-x86-64-libata #1 SMP Thu Jul 9 00:46:42 EDT 2009 x86_64 GNU/Linux

  90. This could be an issue with the static compiled inotifywait process, try execute the binary at the following path and see if it produces an error:

    # /usr/local/maldetect/inotify/inotifywait


    Jason:

    I’m also getting the same error as mp

    maldet(28915): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

    Log file is empy.

    #uname -a
    Linux hostname 2.6.29.5-grsec-hostnoc-4.2.0-x86-64-libata #1 SMP Thu Jul 9 00:46:42 EDT 2009 x86_64 GNU/Linux

  91. There is no need to monitor the /sbin or /bin directory with maldetect. However, you should try use real-time monitoring on web paths when possible but if you can not, the daily cron job will take care of things for you by scanning all files created in the last 24hours.

    To monitor all users, use the following option:
    maldet -m users


    newbie:

    Hi:

     If you suggest or agree I should use -m to monitor some DIR like /sbin /bin… or web dir with real-time for detect Infected or injected?

    Thank you

  92. Hi:

     If you suggest or agree I should use -m to monitor some DIR like /sbin /bin… or web dir with real-time for detect Infected or injected?

    Thank you

  93. I’m also getting the same error as mp

    maldet(28915): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

    Log file is empy.

    #uname -a
    Linux hostname 2.6.29.5-grsec-hostnoc-4.2.0-x86-64-libata #1 SMP Thu Jul 9 00:46:42 EDT 2009 x86_64 GNU/Linux

  94. Ryan,

    For the benefit of others that read our conversation below, I wanted to point out that what I called “false positives” really aren’t a big deal. When I first installed LMD, I scanned all my files, but now it only scans files changed in the last 2 days. Those programs that I trust, but behave badly in LMD’s eyes, aren’t changed, so they don’t keep bugging me.

    Looks like you’ve got a good thing going here Ryan. Thanks!

  95. Can you throw me the output of uname -a (you can censor the hostname).


    mp:

    Fantastic tool.

    Can’t seem to start in iNotify mode though, I get “no inotify process found, check inotify.log” which, when I do, is empty.

    clues? CentOS 5.5 w/WHM

    MP

  96. Fantastic tool.

    Can’t seem to start in iNotify mode though, I get “no inotify process found, check inotify.log” which, when I do, is empty.

    clues? CentOS 5.5 w/WHM

    MP

  97. Add the desire maldet command into /etc/rc.local and it will start at boot time.


    newbie:

    Hi:

     If you could provide or where can find a sample let me can make a maldetect service script, let it can run when boot?

    Thank you

  98. Hi:

     If you could provide or where can find a sample let me can make a maldetect service script, let it can run when boot?

    Thank you

  99. You can safely delete items from the quarantine and when running a restore, if the file is no longer present in the quarantine, it will be ignored.

    I should also stress, that these are technically NOT false positives, in your case however they most definitely are and the differences are a matter of semantics. I do know those rules do cause some headaches for people but generally speaking, they are frowned upon coding habits and the rules provide more value than they do headaches.

    The ignore_paths file will ignore an absolute path or a partial path. So for example if you enter /home/mike/public_html into ignore_paths, it will ignore everything under the public_html folder for that user, or you could put an absolute path to a specific file and it will just ignore that file only.


    Corry:

    I feel bad, turning your comments into a support thread, but maybe it will help someone else too.

    I should have mentioned that there were 3 real hits in with my 51 false positives. To me, that makes it worth it to deal with the FPs. Could I have deleted the quarantine files for the real hits, then restored the rest by running the -s with the scan id?

    I don’t want to disable a signature because I might need that detection later.

    A suggestion would be to have the ignore file update automatically (or with a commnad line switch) when a file is resotred. Does the ignore path follow all the way to a file name, or only to the directory?

    The reason I had trouble with the config was that I edited the copy in the “files” directory instead of “/usr/local/maldetect/conf.maldet “

  100. I feel bad, turning your comments into a support thread, but maybe it will help someone else too.

    I should have mentioned that there were 3 real hits in with my 51 false positives. To me, that makes it worth it to deal with the FPs. Could I have deleted the quarantine files for the real hits, then restored the rest by running the -s with the scan id?

    I don’t want to disable a signature because I might need that detection later.

    A suggestion would be to have the ignore file update automatically (or with a commnad line switch) when a file is resotred. Does the ignore path follow all the way to a file name, or only to the directory?

    The reason I had trouble with the config was that I edited the copy in the “files” directory instead of “/usr/local/maldetect/conf.maldet “

  101. You can restore the files for an entire scan by using the SCANID value from the report, i.e:
    maldet -s 081110-1135.28460

    Make sure you have set quar_hits=0 in conf.maldet if you want to disable the quarantine option, there is no known issue at present with the toggle option. I will however do some digging to make sure there is no issue.


    Corry:

    Thanks for the reply, and thanks for the software. I’ll see if I can get my boss to send you a donation. :-)
    I had several installs of the same gallery, so I had several files like check_imagemagick.php.1683 and check_imagemagick.php.4863 (I made up the numbers, but you get the idea.).
    I tried restoring them with a command like maldet -s /usr/local/maldetect/quarantine/check_imagemagick? but it didn’t like the wildcard, I guess.
    Instead, I wrote a bash script, and copied that line and cut and pasted each filename to restore. I ran the script and it restored them.

    I had set my config file to quarantine automatically and to send me an email. I opened my conf.maldet file and it looked like the default, even though it had worked. I then edited it, leaving the setting on not quarntine automatically, to send the email, and I put my email address in again. I ran a -r 2(recent 2days) scan and it quarantined files instead of just notifying me. What did I do wrong?


    Ryan M.:

    You can ignore the specific paths…
    OR
    You can ignore the specific rules…

    Corry:
    I have installed and executed your application. …

  102. Thanks for the reply, and thanks for the software. I’ll see if I can get my boss to send you a donation. 🙂
    I had several installs of the same gallery, so I had several files like check_imagemagick.php.1683 and check_imagemagick.php.4863 (I made up the numbers, but you get the idea.).
    I tried restoring them with a command like maldet -s /usr/local/maldetect/quarantine/check_imagemagick? but it didn’t like the wildcard, I guess.
    Instead, I wrote a bash script, and copied that line and cut and pasted each filename to restore. I ran the script and it restored them.

    I had set my config file to quarantine automatically and to send me an email. I opened my conf.maldet file and it looked like the default, even though it had worked. I then edited it, leaving the setting on not quarntine automatically, to send the email, and I put my email address in again. I ran a -r 2(recent 2days) scan and it quarantined files instead of just notifying me. What did I do wrong?


    Ryan M.:

    You can ignore the specific paths…
    OR
    You can ignore the specific rules…

    Corry:
    I have installed and executed your application. …

  103. You can ignore the specific paths that the false positive hits are occuring in by placing the paths in:
    /usr/local/maldetect/ignore_paths

    OR

    You can ignore the specific rules by placing the signature name in:
    /usr/local/maldetect/ignore_sigs

    The signature name in the ignore_sigs file should be in the format of “php.exe.globals”, so omit the {HEX} or {MD5} and the .# portion of the signature name.


    Corry:

    I have installed and executed your application. It has found a large number of false positives. I use an application from ComDev that is encrypted, so it gets tagged with gzbase64.inject.unclassed.14
    I use Menalto’s Gallery and the setup tests some system configuration, so it gets tagged with php.exe.globals.203.
    I have a few places where I use “http” in an include, so those get tagged with php.include.remote.214. I can probably clean up the include remotes myself, and become a better developer in the process, but how do I prevent the other false positives?

  104. I have installed and executed your application. It has found a large number of false positives. I use an application from ComDev that is encrypted, so it gets tagged with gzbase64.inject.unclassed.14
    I use Menalto’s Gallery and the setup tests some system configuration, so it gets tagged with php.exe.globals.203.
    I have a few places where I use “http” in an include, so those get tagged with php.include.remote.214. I can probably clean up the include remotes myself, and become a better developer in the process, but how do I prevent the other false positives?

  105. When trying to use monitor on a CentOS 5.5 64-bit server, I get the following error:

    no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors

    /usr/local/maldetect/inotify/inotify_log is empty.

    Ideas?

    Thank you.

  106. Hey Peter,
    If you take a look at the –help option you will see there is a –checkout feature, this can be used to upload malware that was not detected and I will review it.

    For false positives, please send me the exact signature string as it appears in the report output and if possible the file that generated the FP to ryan at rfxn.com , if the file is of a sensitive nature then describe its contents.

    You can ignore problematic signatures using the ignore options described in the README file under the heading “IGNORE OPTIONS”.

Leave a Reply

Your email address will not be published. Required fields are marked *