Comments on: Linux Malware Detect http://www.rfxn.com  Linux Software & Blog Thu, 26 Jan 2012 07:01:13 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ryan M. http://www.rfxn.com/projects/linux-malware-detect/#comment-23076 Ryan M. Thu, 26 Jan 2012 07:01:13 +0000 http://www.rfxn.com/?page_id=372#comment-23076 LMD provides a number of facilities for ignoring false positives including an ignore_paths file which a full path to the false positive file can be placed in or an ignore_sigs file where problematic signatures can be ignored entirely. I would recommend you advise your host to place the full path to your file into /usr/local/maldetect/ignore_paths and it should take care of the issue. What host are you using if I may ask? LMD provides a number of facilities for ignoring false positives including an ignore_paths file which a full path to the false positive file can be placed in or an ignore_sigs file where problematic signatures can be ignored entirely. I would recommend you advise your host to place the full path to your file into /usr/local/maldetect/ignore_paths and it should take care of the issue. What host are you using if I may ask?

]]> By: John http://www.rfxn.com/projects/linux-malware-detect/#comment-23072 John Thu, 26 Jan 2012 05:27:26 +0000 http://www.rfxn.com/?page_id=372#comment-23072 Need Help Please - Web hosting account suspended due to false positives from seo.classes.php I believe my web host supplier is runing your program and after loading up an oscommerce addon to my site my hosting account is automatically suspended due to a false positive from the seo.classes.php file? I've taken it up with the host two days in a row now but they run a low cost model and aren't big on customer service that requires any manual adjustments. I appreciate the fact that they probably have thousands of clients on their servers, but surely there is a way they can easily allow this file to not be automatically quarantined and the account suspended. It doesn't help my online rep. I would also suggest that the "Account Suspended" text be changed to something like "Site Offline". They are both technically correct but the latter is substantially less damaging. Any advice would be appreciated! Need Help Please – Web hosting account suspended due to false positives from seo.classes.php

I believe my web host supplier is runing your program and after loading up an oscommerce addon to my site my hosting account is automatically suspended due to a false positive from the seo.classes.php file?

I’ve taken it up with the host two days in a row now but they run a low cost model and aren’t big on customer service that requires any manual adjustments. I appreciate the fact that they probably have thousands of clients on their servers, but surely there is a way they can easily allow this file to not be automatically quarantined and the account suspended. It doesn’t help my online rep.

I would also suggest that the “Account Suspended” text be changed to something like “Site Offline”. They are both technically correct but the latter is substantially less damaging.

Any advice would be appreciated!

]]> By: Ryan M. http://www.rfxn.com/projects/linux-malware-detect/#comment-22664 Ryan M. Wed, 18 Jan 2012 16:02:45 +0000 http://www.rfxn.com/?page_id=372#comment-22664 I apologize, rfxn.com was recently moved to a new server and is currently undergoing a backend change to enable a CDN network, as such malware checkouts are temporarily disabled. You may tar or zip up the threat and email it to malware@rfxn.com. I apologize, rfxn.com was recently moved to a new server and is currently undergoing a backend change to enable a CDN network, as such malware checkouts are temporarily disabled. You may tar or zip up the threat and email it to malware@rfxn.com.

]]> By: Eyal http://www.rfxn.com/projects/linux-malware-detect/#comment-22663 Eyal Wed, 18 Jan 2012 15:52:11 +0000 http://www.rfxn.com/?page_id=372#comment-22663 Thanks for this excellent product! I found a threat that wasn't detected by maldet. I tried to upload it with the -c option but I get: 550 Can't change directory to incoming: Permission denied Any ideas? Thanks! Thanks for this excellent product!

I found a threat that wasn’t detected by maldet.
I tried to upload it with the -c option but I get:

550 Can’t change directory to incoming: Permission denied

Any ideas?
Thanks!

]]> By: Christian http://www.rfxn.com/projects/linux-malware-detect/#comment-22646 Christian Wed, 18 Jan 2012 06:37:47 +0000 http://www.rfxn.com/?page_id=372#comment-22646 Hi Ryan, thanks for working hard on the script :) I'm on Debian Squeeze (64bit) and am still encountering the same problem as the poster of comment #106, maldet reports that says that there are no inotify processes found. {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors. The log stays empty and when i manually execute inotifywatch without arguments it seems to run and complains that there are no files specified to watch. I've manually modified maldet to not grep for /home in /etc/passwd but for /var/www (which is my home dir for webhosting users) and it did detect and set inotify to a more reasonable value (instead of 0), however it still reports there are no inotify processes found. Do you have an idea on how to fix that? Hi Ryan,

thanks for working hard on the script :)

I’m on Debian Squeeze (64bit) and am still encountering the same problem as the poster of comment #106, maldet reports that says that there are no inotify processes found.

{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.

The log stays empty and when i manually execute inotifywatch without arguments it seems to run and complains that there are no files specified to watch.

I’ve manually modified maldet to not grep for /home in /etc/passwd but for /var/www (which is my home dir for webhosting users) and it did detect and set inotify to a more reasonable value (instead of 0), however it still reports there are no inotify processes found.

Do you have an idea on how to fix that?

]]> By: Will Sinclair http://www.rfxn.com/projects/linux-malware-detect/#comment-22098 Will Sinclair Tue, 10 Jan 2012 16:43:20 +0000 http://www.rfxn.com/?page_id=372#comment-22098 Just wanted to say thanks. My server was hacked a couple of days ago, and I knew something was up... then I got the bandwidth bill: £180!!! Your program pinpointed exactly what was up and quarantined it. Just wanted to say thanks. My server was hacked a couple of days ago, and I knew something was up… then I got the bandwidth bill: £180!!! Your program pinpointed exactly what was up and quarantined it.

]]> By: Ryan M. http://www.rfxn.com/projects/linux-malware-detect/#comment-21976 Ryan M. Mon, 09 Jan 2012 10:54:15 +0000 http://www.rfxn.com/?page_id=372#comment-21976 Is this still an issue you are seeing? Is this still an issue you are seeing?

]]> By: Ryan M. http://www.rfxn.com/projects/linux-malware-detect/#comment-21975 Ryan M. Mon, 09 Jan 2012 10:53:52 +0000 http://www.rfxn.com/?page_id=372#comment-21975 The tlog issue has been fixed and pushed live, sorry for the oversight. As for the inotify binaries, in 1.4.2 I will add x64 binaries along with a simple check to determine system arch and use the appropriate binaries. I will also add a check to see if the system has its own copy of inotifywatch in $PATH and if so use it. The tlog issue has been fixed and pushed live, sorry for the oversight.

As for the inotify binaries, in 1.4.2 I will add x64 binaries along with a simple check to determine system arch and use the appropriate binaries. I will also add a check to see if the system has its own copy of inotifywatch in $PATH and if so use it.

]]> By: Peter M. Abraham http://www.rfxn.com/projects/linux-malware-detect/#comment-19785 Peter M. Abraham Tue, 13 Dec 2011 15:54:29 +0000 http://www.rfxn.com/?page_id=372#comment-19785 Good day, Ryan: I hope you and your family are doing well. We've received two separate reports from two different servers showing: FILE HIT LIST: {HEX}php.exe.globals.383 : [full path to a directory] Where it shows scores of directories, but no individual files. Should I be concerned? How would I further diagnose this issue? Thank you. Good day, Ryan:

I hope you and your family are doing well.

We’ve received two separate reports from two different servers showing:

FILE HIT LIST:
{HEX}php.exe.globals.383 : [full path to a directory]

Where it shows scores of directories, but no individual files.

Should I be concerned?

How would I further diagnose this issue?

Thank you.

]]> By: Brad Coudriet http://www.rfxn.com/projects/linux-malware-detect/#comment-19175 Brad Coudriet Thu, 01 Dec 2011 15:51:10 +0000 http://www.rfxn.com/?page_id=372#comment-19175 First off, great tool!! Here's my uname -a Linux xxxxxxxx 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux Couple of bugs I found. 1. tlog doesn't like /bin/sh under Ubuntu 10.04, changing to /bin/bash seems to fix that. 2. Including and using 32bit bins for inotifywatch and its library really doesn't help those of us using x64 :( Any change in an updated version including some logic to use the system version of inotifywatch? First off, great tool!!

Here’s my uname -a

Linux xxxxxxxx 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux

Couple of bugs I found.

1. tlog doesn’t like /bin/sh under Ubuntu 10.04, changing to /bin/bash seems to fix that.
2. Including and using 32bit bins for inotifywatch and its library really doesn’t help those of us using x64 :(

Any change in an updated version including some logic to use the system version of inotifywatch?

]]> By: ethan http://www.rfxn.com/projects/linux-malware-detect/#comment-18848 ethan Fri, 25 Nov 2011 00:18:29 +0000 http://www.rfxn.com/?page_id=372#comment-18848 Hi, thanks for this LIFESAVING application! Your excellent work is amazing and so useful to thousands of people, and I truly appreciate it. I was just wondering... I dont see options for quiet/verbose. I think this generally standard unix feature would be quite helpful... For example, I have a nightly cron with email report, something like this: maldet -d maldet -u maldet -r ... and the email is so long with unnecessary info. I wish there was a way to just have it report the minimal info, without the repeated headers and emails... something like: maldet -d --quiet or --noheader What do you think? Hi, thanks for this LIFESAVING application! Your excellent work is amazing and so useful to thousands of people, and I truly appreciate it.

I was just wondering… I dont see options for quiet/verbose. I think this generally standard unix feature would be quite helpful…

For example, I have a nightly cron with email report, something like this:

maldet -d
maldet -u
maldet -r …

and the email is so long with unnecessary info.

I wish there was a way to just have it report the minimal info, without the repeated headers and emails…
something like: maldet -d –quiet
or –noheader

What do you think?

]]> By: Ryan M. http://www.rfxn.com/projects/linux-malware-detect/#comment-18484 Ryan M. Sun, 20 Nov 2011 22:14:07 +0000 http://www.rfxn.com/?page_id=372#comment-18484 Yes, all subdirectories will be monitored and any subsequent paths created after initialization will also get picked up. Yes, all subdirectories will be monitored and any subsequent paths created after initialization will also get picked up.

]]> By: Peter M. Abraham http://www.rfxn.com/projects/linux-malware-detect/#comment-18458 Peter M. Abraham Sun, 20 Nov 2011 15:23:47 +0000 http://www.rfxn.com/?page_id=372#comment-18458 Good day, Ryan: When you set maldet to monitor user's, does it monitor sub directories under the user home directory? Thank you. Good day, Ryan:

When you set maldet to monitor user’s, does it monitor sub directories under the user home directory?

Thank you.

]]> By: Web Dizajn http://www.rfxn.com/projects/linux-malware-detect/#comment-17821 Web Dizajn Sun, 13 Nov 2011 12:16:07 +0000 http://www.rfxn.com/?page_id=372#comment-17821 Installed this anti-malware, and I'm happy effect. However, it is difficult to cope with the recent malware injection generating htaccess files. I hope that this will be improved. Installed this anti-malware, and I’m happy effect. However, it is difficult to cope with the recent malware injection generating htaccess files. I hope that this will be improved.

]]> By: lars http://www.rfxn.com/projects/linux-malware-detect/#comment-16680 lars Wed, 02 Nov 2011 12:52:30 +0000 http://www.rfxn.com/?page_id=372#comment-16680 hello, nice tool and great work. is there a way to build own hashes, for example i need to find files with binaries or bashes: the last server ist hacked by an unsecure apache with root kit spl.sh : #!/bin/sh umask 0 LD_AUDIT=libpcprofile.so PCPROFILE_OUTPUT=/etc/ld.so.preload ping echo "[+] creating /tmp/getuid.so" echo "int getuid(){return 0;}" > /tmp/getuid.c gcc -shared /tmp/getuid.c -o /tmp/getuid.so echo "/tmp/getuid.so" > /etc/ld.so.preload So i want to build an hash to parse all files with #!/bin/ or for binaries: file /bin/bash -> search/scan for ELF \d\d-bit So which files i have to touch for own hashes ? hex.dat md5.dat rfxn.hdb rfxn.ndb so for example want to find files with "#!/bin" what i have to do ? md5(#!/bin) -> touch md5.dat and/or rfxn.db -> 0b4962363758288f8f7e0d9cdb413d92:88:{MD5}bash.inject.unclassed.1 0b4962363758288f8f7e0d9cdb413d92:{MD5}bash.inject.unclassed.1 do we need both hex and md5 for this ? thanks for any help with own definitions cause i think not everyone wants to parse #!/bin hello, nice tool and great work. is there a way to build own hashes, for example i need to find files with binaries or bashes:

the last server ist hacked by an unsecure apache with root kit spl.sh :

#!/bin/sh
umask 0
LD_AUDIT=libpcprofile.so PCPROFILE_OUTPUT=/etc/ld.so.preload ping
echo “[+] creating /tmp/getuid.so”
echo “int getuid(){return 0;}” > /tmp/getuid.c
gcc -shared /tmp/getuid.c -o /tmp/getuid.so
echo “/tmp/getuid.so” > /etc/ld.so.preload

So i want to build an hash to parse all files with #!/bin/ or for binaries:

file /bin/bash -> search/scan for ELF \d\d-bit

So which files i have to touch for own hashes ?

hex.dat
md5.dat
rfxn.hdb
rfxn.ndb

so for example want to find files with “#!/bin”

what i have to do ?

md5(#!/bin) -> touch md5.dat and/or rfxn.db ->

0b4962363758288f8f7e0d9cdb413d92:88:{MD5}bash.inject.unclassed.1

0b4962363758288f8f7e0d9cdb413d92:{MD5}bash.inject.unclassed.1

do we need both hex and md5 for this ? thanks for any help with own definitions cause i think not everyone wants to parse #!/bin

]]>