rfxn / linux-malware-detect Goto Github PK

Hello!

given that maldet is usually run as a service and root, how is the mod_security script mentioned in the latest Readme supposed to work? If I create a rule like this:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1234567890'"

the script is called correctly but will never run correctly because of the permission issues. What to fix?

sed: couldn't open temporary file /usr/local/maldetect//sed44G0xh: Permission denied
ln: accessing `/usr/local/maldetect/sigs/lmd.user.ndb': Permission denied
ln: accessing `/usr/local/maldetect/sigs/lmd.user.hdb': Permission denied
/usr/local/maldetect/internals/functions: line 1486: /usr/local/maldetect/tmp/.runtime.hexsigs.6306: Permission denied
cp: accessing `/usr/local/maldetect/tmp/.runtime.user.6306.ndb': Permission denied
cp: accessing `/usr/local/maldetect/tmp/.runtime.user.6306.hdb': Permission denied
/usr/bin/wc: /usr/local/maldetect/sigs/hex.dat: Permission denied
/usr/bin/wc: /usr/local/maldetect/sigs/md5v2.dat: Permission denied
cat: /usr/local/maldetect/sigs/md5v2.dat: Permission denied
/usr/bin/wc: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 1126: [: : integer expression expected
/usr/local/maldetect/internals/functions: line 925: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 932: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 933: /usr/local/maldetect/logs/clamscan_log: Permission denied
/usr/local/maldetect/internals/functions: line 957: /usr/local/maldetect/logs/clamscan_log: Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.user.6306.ndb': Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.user.6306.hdb': Permission denied
rm: cannot remove `/usr/local/maldetect/tmp/.runtime.hexsigs.6306': Permission denied
[Mon Mar 16 03:03:45 2015] [error] [client X] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20150316-030344-VQY6ALIgmqkAAAJxIH4AAAAH-file-SZ1jzV" rejected by the approver script "/usr/local/maldetect/modsec.sh": maldet(6306): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "60"] [id "950115"] [msg "Virus found in uploaded file"] [severity "CRITICAL"] [tag "MALICIOUS_SOFTWARE/VIRUS"] [tag "PCI/5.1"] [hostname "acme.com"] [uri "/upload.php"] [unique_id "VQY6ALIgmqkAAAJxIH4AAAAH"]

Ignore all this and see the comment below.

This is a command issued by my backup system script. Very little in /etc has changed recently.

/usr/local/maldetect/maldet -b --scan-recent /etc 1

Running the command

find /etc -mtime -1 -type f

Gives 221 results. The previous command, which has been running for a half hour, has now displayed about 350 "."'s which I assume are displayed 1 per file. (This also seems slower per file than it used to be, but I don't have empirical evidence of that)

Edit: an hour into the run I'm at 700. Running the find without the -mtime option shows around 5000 files in /etc

edit2: looking at some other backup reports from other servers it looks like this issue may just happen the first time the new maldet is run on a machine?

Edit 3: still chugging along at about 350 .s per hour. However here are the relevant lines from /usr/local/maldetect/logs/event_log:

Sep 21 09:00:56 vulcan maldet(8323): {scan} launching scan of /etc changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Sep 21 09:00:56 vulcan maldet(8323): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
Sep 21 09:00:56 vulcan maldet(8323): {scan} building file list for /etc of new/modified files from last 1 days, this might take awhile...
Sep 21 09:00:56 vulcan maldet(8323): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Sep 21 09:00:56 vulcan maldet(8323): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /etc /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -768k -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0
Sep 21 09:00:56 vulcan maldet(8323): {scan} scan returned zero results, please increase days range or provide a new path.

So it's saying it actually found nothing to scan (which I do believe is probably correct, the 221 results from above are all graphics files who may meet any of the -size +24c -size -768k -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0 restrictions.

However again, it seems to be scanning the entire directory

I'm trying to write some reports based off the maldet logs but have been running into some issues.

If scan_clamscan is set to 1 then malware hit names are not logged to the event log. Would it be possible to normalize the logging so that malware hit names were always logged to the event log?

I've got the monitor mode running on /home, but it won't catch eicar. Pretty much standard config, except send mail is enabled.

root@sigrid2:~/maldetect-1.4.2# maldet -m /home
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9494): {mon} set inotify max_user_instances to 128
maldet(9494): {mon} set inotify max_user_watches to 1689600
maldet(9494): {mon} added /home to inotify monitoring array
maldet(9494): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(9494): {mon} inotify startup successful (pid: 9574)
maldet(9494): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

...

user@sigrid2:~$ wget http://www.eicar.org/download/eicar.com
2014-01-03 10:03:26 (14.8 MB/s) - `eicar.com' saved [68/68]

root@sigrid2:~# cat /usr/local/maldetect/inotify/inotify_log

/home/mattiasb/eicar.com CREATE 03 Jan 10:03:26
/home/mattiasb/eicar.com MODIFY 03 Jan 10:03:26

I then ran --alert-daily, but no output and no mail in mail.log..

/usr/local/maldetect/maldet --alert-daily

Is it possible to have the sample submission function work with passive ftp connections in addition to active, as I've had to modify the script to use passive so I can submit samples.

Unless the user is using default cPanel home directories maldet doesn't scan the right areas, the following returns the config from cPanel which stores user homedirs:

#!/usr/local/cpanel/3rdparty/bin/perl

use Cpanel::Config::LoadWwwAcctConf ();

$cref = Cpanel::Config::LoadWwwAcctConf::loadwwwacctconf();
my $homematch = ( defined $cref->{'HOMEMATCH'} ? $cref->{'HOMEMATCH'} : ( -d '/home' ? '/home' : '/usr/home' ) );
$homematch =~ s/\*//;
print $homematch;

I integrated this into the cron by checking for the existance of the /usr/local/cpanel directory

        elif [ -d "/usr/local/cpanel" ] && [ -x "/path/to/bin/homematch" ]; then
                #cpanel
                HOMEMATCH=`/path/to/bin/homematch`
                /usr/local/maldetect/maldet -b -r $HOMEMATCH?/?/public_html 2 >> /dev/null 2>&1

Could something like this be implemented?

Hello.
I am a representative of the software 2x2 cms - online store management system (state registration number 2015618097 of the Russian Federation).
On one of the largest hosting LMD is used to monitor virus activity.
The essence of the problem is that when you try to use online store management system 2x2 - LMD determines php.mailer.Mzh in two main core files:
{HEX} php.mailer.Mzh.508: u0101636: /classes/System.php
{HEX} php.mailer.Mzh.508: u0101636: /classes/Sec.php
This processed automatically blocked their work.

It obviously false positive, because these 2 files and use obfuscated links to the global scope variables GLOBALS, variations and other base64_decode php obfuscation techniques that are also used by malicious scripts, too. In reality, these two scripts send mail function is not even used, but their main purpose - monitoring and verification of the license.

This hosting is very popular and because of this false alarms, we have difficulty in working with clients.

For an example, check one of the popular web antivirus virustotal gives one false positive out of 56, which is owned Vietnamese antivirus Bkav, with developers which we are now trying to get in touch.

Where can I send the 2 file for inspection?

Sincerely, Vladimir.

It would be nice to have proper init scripts included by default to start the inotify monitoring at boot.

For example:
http://cmjscripter.net/files/scripts/maldet-monitor.init.sh

Thanks again!

I've noticed my crons don't work if I have files in the cron users homedir that matches anything in ignore_file_ext

If there are more than two files in the current run directory that match extensions in ignore_file_ext find will throw an error:

cat /usr/local/maldetect/ignore_file_ext

.txt

Commands:

# cd $(mktemp -d)
# touch test{1..2}.txt
# maldet -a ./

Maldet returns:

Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(855266): {scan} signatures loaded: 11866 (9965 MD5 / 1901 HEX)
maldet(855266): {scan} building file list for ./, this might take awhile...
/bin/find: paths must precede expression: test2.txt
Usage: /bin/find [-H] [-L] [-P] [-Olevel] [-D help|tree|search|stat|rates|opt|exec] [path...] [expression]
maldet(855266): {scan} scan returned zero results, please provide a new path.

The find command being used is:

/usr/bin/find ./ /dev/shm /tmp /var/tmp -maxdepth 15 -type f -size +32c -size -768k ! -iname *.txt | grep -vf /usr/local/maldetect/ignore_paths > /usr/local/maldetect/tmp/.find.12627

cd'ing to a tmp dir might help overcome this?

Just ran into this:

# maldet --clean 150403-1457.811
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(29339): file path error on /usr/local/maldetect/quarantine/., aborting.

At first glance it looks similar to issue #12. However, I've traced the respective function and it seems that in this case it's different. Some variables used to make up the absolute path of the file that has to be cleaned aren't available to the clean_hitlist function. As a result a dot is appended to the relative path of each file within the quarantine path.

Example:

# maldet --clean 150403-1457.811
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

+ hitlist=/usr/local/maldetect/sess/session.hits.150403-1457.811
+ '[' -f /usr/local/maldetect/sess/session.hits.150403-1457.811 ']'
++ cat /usr/local/maldetect/sess/session.hits.150403-1457.811
++ awk '{print$3}'
+ for file in '`cat $hitlist | awk '\''{print$3}'\''`'
+ '[' -f /data/samba/biz/Thumbs.db ']'
++ cat /usr/local/maldetect/sess/session.hits.150403-1457.811
++ grep /data/samba/biz/Thumbs.db
++ awk '{print$1}'
+ hitname='{CAV}lstat()'
+ echo -e 'DEBUG::: file_name -> '
DEBUG::: file_name -> 
+ echo -e 'DEBUG::: file -> /data/samba/biz/Thumbs.db'
DEBUG::: file -> /data/samba/biz/Thumbs.db
+ echo -e 'DEBUG::: quardir -> /usr/local/maldetect/quarantine'
DEBUG::: quardir -> /usr/local/maldetect/quarantine
+ echo -e 'DEBUG::: hitname -> {CAV}lstat()'
DEBUG::: hitname -> {CAV}lstat()
+ echo -e 'DEBUG::: rnd -> '
DEBUG::: rnd -> 
+ clean /usr/local/maldetect/quarantine/. '{CAV}lstat()' . '' '' '' /data/samba/biz/Thumbs.db
+ set -x
+ file=/usr/local/maldetect/quarantine/.
+ file_signame='{CAV}lstat()'
+ file_owner=.
+ file_chmod=
+ file_size=
+ file_md5=

Lines prefixed with DEBUG::: are generated using "set -x" breaks. The function variables $file_name and $rnd are empty. When calling maldet --clean it calls function clean_hitlist which then calls function clean on each infected file. The problem seems to with function clean_hitlist.

I have tried executing several maldet scans, but none seem to complete when there is a large fileset. There is no error, no crash, it just hangs indefinitely.

root@server [/home]# maldet -a /home/directory
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(31804): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX)
maldet(31804): {scan} building file list for /home/directory, this might take awhile...
maldet(31804): {scan} file list completed, found 38966 files...
maldet(31804): {scan} 3473/38966 files scanned: 7 hits 0 cleaned

I can see the process is still running when I check "Process Manager" in WHM.

$ /usr/bin/maldet -u
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(5011): {sigup} performing signature update check...
maldet(5011): {sigup} local signature set is version 201310259491
maldet(5011): {sigup} latest signature set already installed
$ echo $?
1

As shown below, maldet recognises the first scanid but not the second one:

$ sudo maldet -e list
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

TIME: Mar 18 21:10:12 +0000 | SCAN ID: 031815-1949.3300
TIME: Mar 19 18:47:36 +0000 | SCAN ID: 031915-1847.31789

$ sudo maldet --restore 031815-1949.3300
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

$ sudo maldet --restore 031915-1847.31789
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19216): {restore} invalid file or could not be found

With the latest version from git you get permision denied errors when try to scan files.

sed: couldn't open temporary file /usr/local/maldetect/sedXwuCmb: Permission denied
also tmp directory and sigs gives perision errors.

Hi,

We have 9 servers with Plesk and on all maldet with the same configurations installed. All servers run under Centos 7 and exactly same configured. On only 2 maldet scan users files under /var/www/vhosts and on other 7 tell us this:

[root@xxx htdocs]# maldet -a /var/www/vhosts
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks [email protected]
(C) 2013, Ryan MacDonald [email protected]
inotifywait (C) 2007, Rohan McGovern [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(16965): {scan} signatures loaded: 10795 (8882 MD5 / 1913 HEX)
maldet(16965): {scan} building file list for /var/www/vhosts, this might take awhile...
maldet(16965): {scan} scan returned zero results, please provide a new path.

There are over 100 domains and I can't believe that maldet can not find anything. We searched through Google but found nothing about that.
Any input or help would be appreciated.

Regards,
Pera

When I run the command:
/usr/local/sbin/maldet --monitor /usr/local/maldetect/monitor_paths
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

/usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.7219: No such file or directory
maldet(7219): {mon} added /var/www/vhosts to inotify monitoring array
maldet(7219): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(7219): {mon} inotify startup successful (pid: 7308)
maldet(7219): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Here is my first attempt at an init script to start maldet monitoring at boot (original issue #15 ). The script expects your monitor paths to be defined in the file /usr/local/maldetect/monitor_paths. Customize it as you wish.. contributions welcome!

#!/bin/bash
#
# maldet    Maldet inotify monitoring
#
# chkconfig: 345 70 30
# description: Maldet inotify monitoring
# processname: maldet

# Source function library.
. /etc/init.d/functions

RETVAL=0
prog="maldet"
LOCKFILE=/var/lock/subsys/$prog

start() {
        echo -n "Starting $prog: "
        /usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
        RETVAL=$?
                [ $RETVAL -eq 0 ] && touch $LOCKFILE
                echo
                return $RETVAL
}

stop() {
        echo -n "Shutting down $prog: "
        /usr/local/maldetect/maldet --kill-monitor && success || failure
                RETVAL=$? [ $RETVAL -eq 0 ] && rm -f $LOCKFILE
                echo
                return $RETVAL
}

restart() {
        stop
        start
}

status() {
        echo -n "Checking $prog monitoring status: "
        if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
                        echo "Running"
                else
                        echo "Not running"
                fi
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status
        ;;
    restart)
        restart
        ;;
    condrestart)
        if [ -f $LOCKFILE ]; then
            restart
        fi
        ;;
    *)
        echo "Usage: $prog {start|stop|status|restart|condrestart}"
        exit 1
        ;;
esac
exit $RETVAL

Update: I've added the option condrestart so we can only restart the inotify monitoring if its already running.

When I try and run the --clean command for any scan id I get this:

maldet --clean 140715-0536.25502
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(26200): file path error on /usr/local/maldetect/quarantine/., aborting.

For some reason every time I run maldet, it exits with status 1. I can't even tell that there is anything particularly wrong. There are no "hits" (no malware found). I can fake it, easily enough, but it would be good to know what is failing. I am running this via Jenkins, which watches for exit status (it runs in bash -e)

# maldet -r /tmp
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(25129): {scan} signatures loaded: 13793 (11892 MD5 / 1901 HEX)
maldet(25129): {scan} building file list for /tmp of new/modified files from last 7 days, this might take awhile...
maldet(25129): {scan} file list completed, found 10 files...
maldet(25129): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(25129): {scan} scan of /tmp (10 files) in progress...

maldet(25129): {scan} scan completed on /tmp: files 10, malware hits 0, cleaned hits 0
maldet(25129): {scan} scan report saved, to view run: maldet --report 021715-1819.25129
# echo $?
1

The file /etc/cron.daily/maldet misses the web tree for subdomains on Plesk 12 because now when creating a subdomain the web tree isn't restricted to the /var/www/vhosts/?/subdomains/?/httpdocs directory any more.

Current line that needs fixing:

 # psa
/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs/,/var/www/vhosts/?/subdomains/?/httpdocs/ 1 >> /dev/null 2>&1

For example adding a subdomain for "test" to the domain example.com the web files are here by default:

/var/www/vhosts/example.com/test.example.com

I have included a screenshot of how the new path is preset by default.

Entries added to either ignore_file_ext or ignore_sigs are not being ignored.

cat /usr/local/maldetect/ignore_file_ext

.txt

cat /usr/local/maldetect/ignore_sigs

{CAV}Eicar-Test-Signature

Command run:

maldet -b --scan-all /var/www/vhosts/?/httpdocs

maldet --report 150107-1249.29105

HOST:      example.com
SCAN ID:   150107-1249.29105
STARTED:   Jan  7 2015 12:49:34 -0700
COMPLETED: Jan  7 2015 12:49:34 -0700
ELAPSED:   0s [find: 0s]

PATH:          /var/www/vhosts/*/httpdocs
TOTAL FILES:   154
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 150107-1249.29105

FILE HIT LIST:
{CAV}Eicar-Test-Signature  :  /var/www/vhosts/example.com/httpdocs/eicar.txt
===============================================
Linux Malware Detect v1.5 < [email protected] >

Running clean on affected php files removes the injected {HEX}gzbase64.inject.unclassed.15 malware, but either inserts or leaves behind extra lines.

This trips up php 5.5.12 with "PHP Fatal error: Namespace declaration statement has to be the very first statement"

Is there a way to tell clean to remove/not add extra empty lines or is this behaviour a bug in maldet --clean?

Somehow I cannot submit files. When forcing passive FTP the upload succeeds. See below:

Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(30496): {checkout} uploading 81662.php to ftp.rfxn.com
Connected to rfxn.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 06:15. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
331 User [email protected] OK. Password required
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
Interactive mode on.
250 OK. Current directory is /incoming
Local directory now /
200 TYPE is now 8-bit binary
local: 81662.php remote: ff81bfcadb10607d4d7a8c9bb7a75750.5950.81662.php.bin
200 PORT command successful
425 Could not open data connection to port 47612: Connection timed out
200 TYPE is now ASCII
local: 81662.php remote: ff81bfcadb10607d4d7a8c9bb7a75750.5950.81662.php.ascii
200 PORT command successful
425 Could not open data connection to port 58939: Connection timed out
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

Hi

Line 914 reads tmf=... when it should read tmpf=...

This is breaking the reporting of hits.

Doesn't seem worth me working out how to do a pull request!

Paul.

It would be great if the shebang could be changed from bin/bash to /usr/bin/env bash

It looks like when maldet updated at midnight as part of my daily scan and backup script it broke ClamAV. As this is on my mail server, and amavis uses clamAV to scan for viruses, this is preventing mail from being sent or delivered.

I've tried running freshclam, maldet -d, maldet -u, restarting clamav-daemon, restarting amavis, etc.

When I try to start ClamAV this is what I get:

service clamav-daemon start

• Starting ClamAV daemon clamd
  LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb
  LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb
  ERROR: Can't open file or directory [fail]

contents of /var/lib/clamav:

drwxr-xr-x 2 clamav clamav 4096 Sep 19 02:15 ./
drwxr-xr-x 59 root root 4096 Aug 26 07:41 ../
-rw-r--r-- 1 clamav clamav 407040 Aug 20 11:45 bytecode.cld
-rw-r--r-- 1 clamav clamav 101435904 Sep 18 13:52 daily.cld
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb
-rw-r--r-- 1 clamav clamav 64720632 Sep 17 2013 main.cvd
-rw------- 1 clamav clamav 1196 Sep 19 02:15 mirrors.dat
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

contents of /usr/local/maldetect/sigs:

ll /usr/local/maldetect/sigs
total 2584
drwxr-xr-x 3 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
drwxr-xr-x 2 root root 4096 Sep 12 2013 appver/
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.hex.dat
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.md5.dat
-rw-r--r-- 1 root root 429904 Sep 18 18:18 hex.dat
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.13092.hdb
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.13092.ndb
-rw-r--r-- 1 root root 14 Sep 19 00:01 maldet.sigs.ver
-rw-r--r-- 1 root root 551001 Sep 18 18:18 md5.dat
-rw-r--r-- 1 root root 602518 Sep 18 18:18 md5v2.dat
-rw-r--r-- 1 root root 598632 Sep 18 18:18 rfxn.hdb
-rw-r--r-- 1 root root 437560 Sep 18 18:18 rfxn.ndb

contents of /usr/local/maldetect/tmp:

ll /usr/local/maldetect/tmp
total 8
drwxr-x--- 2 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.alert.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.clean.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.monitor.alert
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.susp.hits

so as you can see the .runtime.user.13092.* files are missing.

The error I'm getting in my /var/log/mail.log is:

Sep 19 02:08:52 pigeon amavis[4089]: (04089-06) (!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output="LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb\nLibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb\nERROR: Can't open file or directory"

relevant lines from /var/log/clamav/clamav.log:

Fri Sep 18 22:17:23 2015 -> SelfCheck: Database status OK.
Fri Sep 18 23:21:25 2015 -> SelfCheck: Database status OK.
Sat Sep 19 00:01:35 2015 -> Reading databases from /var/lib/clamav
Sat Sep 19 00:01:38 2015 -> ERROR: reload db failed: Can't open file or director
y
Sat Sep 19 00:01:38 2015 -> Terminating because of a fatal error.
Sat Sep 19 00:01:38 2015 -> Pid file removed.
Sat Sep 19 00:01:38 2015 -> --- Stopped at Sat Sep 19 00:01:38 2015
Sat Sep 19 00:01:38 2015 -> Socket file removed.

relevant lines from /usr/local/maldetect/logs/event_log

Sep 19 00:01:31 pigeon maldet(11534): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11534): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11534): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} completed update v1.4.2 => v1.5, running signature updates...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11619): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} update and config import completed.
Sep 19 00:01:31 pigeon maldet(11237): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11237): {sigup} local signature set is version 2015091516329
Sep 19 00:01:31 pigeon maldet(11237): {sigup} new signature set (2015091828029) available
Sep 19 00:01:32 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
Sep 19 00:01:33 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
Sep 19 00:01:34 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
Sep 19 00:01:35 pigeon maldet(11237): {sigup} signature set update completed
Sep 19 00:01:35 pigeon maldet(11237): {sigup} 10822 signatures (8908 MD5 / 1914 HEX)
Sep 19 00:01:36 pigeon maldet(11791): {scan} launching scan of /root changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Sep 19 00:01:36 pigeon maldet(11791): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
Sep 19 00:01:36 pigeon maldet(11791): {scan} building file list for /root of new/modified files from last 1 days, this might take awhile...
Sep 19 00:01:36 pigeon maldet(11791): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Sep 19 00:01:36 pigeon maldet(11791): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /root /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -6947618c -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0
Sep 19 00:01:37 pigeon maldet(11791): {scan} file list completed in 1s, found 69 files...
Sep 19 00:01:37 pigeon maldet(11791): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
Sep 19 00:01:37 pigeon maldet(11791): {scan} scan of /root (69 files) in progress...
Sep 19 00:01:38 pigeon maldet(11791): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

relevant lines from /usr/local/maldetect/logs/clamscan_log:

Sep 19 00:01:37 pigeon clamscan start
Sep 19 00:01:37 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --infected -
-no-summary -f /usr/local/maldetect/tmp/.find.11791
ERROR: Communication error
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.
Sep 19 00:01:42 pigeon clamscan start
Sep 19 00:01:42 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesiz
e=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.12047.hdb -d /usr/local/maldetect/tmp/.runtim
e.user.12047.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.12047
WARNING: Ignoring unsupported option --max-filesize
WARNING: Ignoring unsupported option --max-scansize
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --recursive (-r)
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.

This is a MAJOR issue. for now I have disabled anti-virus checking in amavis like this:

Try this on Debian or Ubuntu:

Add a new file /etc/amavis/conf.d/90-custom

with the following content:

Code:

use strict;

@bypass_virus_checks_maps  = (1);

#------------ Do not modify anything below this line -------------
1;  # insure a defined return

and restart amavisd.

There is no OSTYPE global variable

# env | grep BSD
_system_type=BSD
_system_name=FreeBSD

Is there an easy way for me to generate my own threat signatures? More than happy to share the signatures I'd generate with the community. Just not sure how to go about this?

Maldet iNotify Monitoring was unable to detect malicious files in realtime monitoring meanwhile manual scan detected the same files as malicious. But, why isn't the monitoring process picking up the malware? any ideas? Current maldet version I am using is 1.4.2

I setup the scanner to keep tabs on /home/username (all 6) and the monitoring process IS checking files being uploaded, created or modified, but on two occasions now, it has missed infected files being put on the server.
Running maldet -a /home/XXX manually and it picks up the infected files and quarantines them, as the monitoring process is supposed to do.
The log file shows the file being created/modified, but nothing about it picking up the malware.

grep -w 'backup/proxy.php' /usr/local/maldetect/inotify/inotify_log
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php CREATE 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
/home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52

Running a manual scan results in:

malware detect scan report for xxxxxxxxxxxx:
SCAN ID: 042715-1505.3285
TIME: Apr 27 15:07:41 +0100
PATH: /home/username/public_html/
TOTAL FILES: 37322
TOTAL HITS: 2
TOTAL CLEANED: 0

FILE HIT LIST:
{CAV}Php.Malware.Mailbot-1 : /home/username/public_html/xxxxxxxx/images/testimonials/css.php => /usr/local/maldetect/quarantine/css.php.8062
{CAV}Php.Malware.Mailbot-1 : /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php => /usr/local/maldetect/quarantine/proxy.php.3538

But, why isn't the monitoring process picking up the malware? any ideas?

Current maldet version I am using is 1.4.2

The inotifywait that is packaged with LMD 1.4.2 fails on CentOS 6.6. When fixed the daily cron reverts the fix.

After playing around a bit and doing stupid stuff I found this:

# ./inotifywait
sh: ./inotifywait: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

It turns out that this can be fixed by installing a 32bit version of glibc (yum install glibc.i686 worked for me)

When running maldet --monitor users in maldet 1.5 I see this warning:

/usr/local/maldetect/internals/functions: line 1288: [: : integer expression expected

Hello!

I'm execute simple test clamscan vs clamDscan and found extremely big difference between it:

Parallel scan via clamDscan (daemon): 34.176 sec
Single thread scan via clamDscan (daemon): 191.848 sec
Scan via clamscan: 215.018 sec

As you can see difference is fantastic!

Adding maldet databases to ClamAV daemon is very simple:

cp /usr/local/maldetect/sigs/rfxn.hdb /var/lib/clamav
cp /usr/local/maldetect/sigs/rfxn.ndb /var/lib/clamav
/etc/init.d/clamd restart

May be you can add this solution as recommended way for scanning via ClamAV because it many times faster?

Full article: http://bit.ly/Rkm6wU (sorry, it's in russian).

In maldet 1.5 the long form of the kill command to stop the inotify monitoring service is not recognized:

maldet --kill
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 2014061517666
usage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
[-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
[-b|--background] [-m|--monitor] [-k|--kill-monitor][-c|--checkout]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
[-u|--update-sigs] [-d|--update-ver]

Hey there.
Got few small problems running LMD on FreeBSD.

which bash
/usr/local/bin/bash
not /bin/bash

$OSTYPE in internals.conf is not equal FreeBSD
should be something like
if [ "$OSTYPE" == "freebsd8.1" ]; then

If I run the maldet --monitor command it creates an empty file named "0" in the current/working directory:

 [test3]# maldet --monitor /usr/local/maldetect/monitor_paths
Linux Malware Detect v1.5
            (C) 2002-2014, R-fx Networks <[email protected]>
            (C) 2014, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19579): {mon} added /var/www/vhosts to inotify monitoring array
maldet(19579): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(19579): {mon} inotify startup successful (pid: 19668)
maldet(19579): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

[test3]# ls -la
total 8
drwxr-xr-x   2 root root 4096 Jan  7 11:00 .
dr-xr-x---. 22 root root 4096 Jan  7 11:00 ..
-rw-r--r--   1 root root    0 Jan  7 11:00 0

It would be nice if maldet could pipe the contents of files to clamscan instead of using the -f option. Clamscan on Ubuntu by default runs under its own user. So when you scan a file with clamscan like this:

# /usr/bin/clamdscan  --infected --no-summary /home/mysite/public_html/cache/index.html 

you get an error: /home/mysite/public_html/cache/index.html: lstat() failed: Permission denied. ERROR

This works:

/usr/bin/clamdscan  --infected --no-summary < /home/mysite/public_html/cache/index.html

Currently in maldet 1.5 the kill command should return an exit code of 0 on success or 1 on error. Currently the kill command will always return an exit code of 1. This makes it hard to determine if an error actually occurred.

Currently:
/usr/local/maldetect/maldet -k
echo $?
1

With the latest master using monitor with a file path maldet is no longer recognizing a path if it doesn't contain a newline character at the end.
Eg.
maldet --monitor /usr/local/maldetect/monitor_paths

The response
maldet(30196): {mon} no paths specified in /usr/local/maldetect/monitor_paths, aborting.

Contents of /usr/local/maldetect/monitor_paths
/var/www/vhosts

Maldet should recognize a single path even though the newline is missing.

Hello,

I installed yesterday the version 1.5 on one of my servers and all was working fine. Today, when I ran a manual scan, maldet couldn't find a command from "functions" file, as shown below:

root@server [/usr/local/maldetect]# maldet -a /home/user/public_html/
Linux Malware Detect v1.5
(C) 2002-2014, R-fx Networks [email protected]
(C) 2014, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} signatures loaded: 10749 (8838 MD5 / 1911 HEX / 0 USER)
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} building file list for /home/user/public_html/, this might take awhile...
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} file list completed in 0s, found 206 files...
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan of /home/user/public_html/ (206 files) in progress...
maldet(700416): {scan} 206/206 files scanned: 0 hits 0 cleaned
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan completed on /home/user/public_html/: files 206, malware hits 0, cleaned hits 0, time 8s
/usr/local/maldetect/internals/functions: line 134: ed: command not found
maldet(700416): {scan} scan report saved, to view run: maldet --report 150407-0935.700416

I tried to replace the "functions" file from the original installation but it didn't help.

Please let me know how to fix this or if anyone else is experiencing this issue.

All in the title

There is a option to exclude file extensions, but we have an issue where our files are stored on a NetApp Filer, and we need to avoid having find traverse through all the ".snapshot" directories. clamscan itself provides that with --exclude-dir=REGEXP. Perhaps it would make sense to model after that?

I'm running into an issue where tmp/monitor.pid is not accurate, and when maldet attempts to run monitor_kill(), it actually ends up sending a kill -9 to random system processes that have reused that same PID. I discovered this after months of mysterious sporadic issues on our postgres servers:

maldet's event_log

Feb 02 03:48:32 acme-db10 maldet(15552): {update} checking for available updates...
Feb 02 03:48:32 acme-db10 maldet(15552): {update} hashing install files and checking against server...
Feb 02 03:48:32 acme-db10 maldet(15552): {update} version check shows latest but hash check failed, forcing update...
Feb 02 03:48:33 acme-db10 maldet(15618): {mon} sent kill to monitor service

syslog

Feb  2 03:48:33 acme-db10 postgres[14204]: [5-1] LOG:  server process (PID 20352) was terminated by signal 9: Killed
Feb  2 03:48:33 acme-db10 postgres[14204]: [6-1] LOG:  terminating any other active server processes
Feb  2 03:48:33 acme-db10 postgres[14478]: [5-1] WARNING:  terminating connection because of crash of another server process
Feb  2 03:48:33 acme-db10 postgres[14478]: [5-2] DETAIL:  The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory.

contents of monitor.pid at the time of monitor_kill():

[root@acme-db10 maldetect.bk15617]# cat tmp/monitor.pid
20352

/usr/local/maldetect/hookscan.sh index.php

sed: couldn't open temporary file /usr/local/maldetect/sedv8orGk: Permission denied
ln: creating symbolic link /usr/local/maldetect/sigs/lmd.user.ndb': Permission denied ln: creating symbolic link/usr/local/maldetect/sigs/lmd.user.hdb': Permission denied
/usr/local/maldetect/internals/functions: line 1653: /usr/local/maldetect/tmp/.runtime.hexsigs.10932: Permission denied
rm: cannot remove /var/lib/clamav//rfxn.hdb': Permission denied rm: cannot remove/var/lib/clamav//rfxn.ndb': Permission denied
1 maldet: OK

Here's the error I'm getting when trying to clear infected files:

maldet -q 120214-0318.950671
Linux Malware Detect v1.4.2
            (C) 2002-2013, R-fx Networks <[email protected]>
            (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1048536): {quar} malware quarantined from '/home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif' to '/usr/local/maldetect/quarantine/aaa.gif.332'
maldet(1048536): {clean} restoring /usr/local/maldetect/quarantine/aaa.gif.332 for cleaning attempt
maldet(1048536): {clean} trying to clean /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif with gzbase64.inject.unclassed rule
/usr/local/sbin/maldet: line 374: #!/bin/bash: No such file or directory
maldet(1048536): {clean} rescanning /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif for malware hits
maldet(1048536): {clean} clean failed on /home/XXXXX/domains/XXXXX.pl/public_html/images/stories/aaa.gif and returned to quarantine
maldet(1048536): {quar} malware quarantined from '/home/XXXXX/domains/XXXXX.pl/public_html/images/stories/wawalo.gif' to '/usr/local/maldetect/quarantine/wawalo.gif.22508'

The error "/usr/local/sbin/maldet: line 374: #!/bin/bash: No such file or directory" appears every time maldet tries to clean a file. This also happens on different server with similar configuration. Bash is installed:

$ which bash
/bin/bash

$ uname -a
Linux xxxxxx.pl 2.6.32-531.23.3.lve1.2.66.el6.x86_64 #1 SMP Fri Sep 12 10:57:40 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/issue
CloudLinux Server release 6.6 (Leonid Kizim)
Kernel \r on an \m

Hi,

I want to propose a feature addition to ignore scanning for Immutable files as well as files with permissions of 000. I have already edited the code to support files with permissions of 000 but have yet to find an easy way to also ignore immutable files. It's a bit rough still however.

 tmpdir_paths="/dev/shm /tmp /var/tmp"
 if [ "$days" == "all" ]; then
  if [ -z "$setmodsec" ]; then
      eout "{scan} building file list for $spath, this might take awhile..." 1
  fi
    if [ "$immutable" == "1" ]; then
    $find $spath $tmpdir_paths -maxdepth $maxdepth -type f ! -perm 000 -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    else
    $find $spath $tmpdir_paths -maxdepth $maxdepth -type f -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
        fi 
    else
  if [ -z "$setmodsec" ]; then
      eout "{scan} building file list for $spath of new/modified files from last $days days, this might take awhile..." 1
  fi
    if [ $immutable == 1 ]; then  
        $find $spath $tmpdir_paths -maxdepth $maxdepth -type f ! -perm 000 -mtime -$days -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    else
$find $spath $tmpdir_paths -maxdepth $maxdepth -type f -mtime -$days -size +${minfilesize}c -size -$maxfilesize $ignore_fext | grep -vf $ignore_paths > $find_results
    fi 
fi
 if [ ! -f "$find_results" ] || [ -z "$(cat $find_results)" ]; then
  if [ -z "$setmodsec" ]; then
    if [ "$days" == "all" ]; then
     eout "{scan} scan returned zero results, please provide a new path." 1
     exit
    else
     eout "{scan} scan returned zero results, please increase days range or provide a new path." 1
     exit
    fi
  fi
 fi

At the maldet options at the end of the file

    -i|--immutable)
        header
        immutable=1
    ;;

and the usage information

usage maldet [-h|--help] [-l|--log] [-e|--report] [-p|--purge] [-c|--checkout]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-a|--scan-all] [-r|--scan-recent]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-u|--update] [-d|--update-ver] [-i|--immutable]

Hi,
I'm testing maldet 1.4.2 on a CentOS 6.6 / Plesk 12 server.

Install and set up has all gone fine. I've been doing some testing, by running manual scans on some specific directories, however - I've jsut noticed that the number of files that maldet reports as found in a given directory is always a couple of thousand higher than the actual number of files that are present.

For example:

maldet(28957): {scan} building file list for /var/www/vhosts/xxxx.co.nz/httpdocs/, this might take awhile...
maldet(28957): {scan} file list completed, found 2946 files...
maldet(28957): {scan} 2946/2946 files scanned: 0 hits 0 cleaned
maldet(28957): {scan} scan completed on /var/www/vhosts/xxxx.co.nz/httpdocs/: files 2946, malware hits 0, cleaned hits 0

However, if I go to the directory above and use:

find . -type f | wc -l

I get a result of 17 files -- which is correct.

I've tested on some other directories and the maldet number always seems to be ~2600 higher than the actual.

Any ideas why this might be happening?

I would really appreciate any help, and will be happy to donate to this project once I can get it all working properly.

Thanks.

I try to run
-maldet -m /var

I got :maldet(19972): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(19972): {mon} no inotify process found, check /usr/local/maldetect/logs/inotify_log for errors.

but log inotify is empty.

I can make
root@web:/var/www-jcarnus/wcc# inotifywait /var
Setting up watches.
Watches established.

Hello,

I'm experiencing a problem where Maldet 1.5 updates to the previous version of 1.4.2. It probably checks the main LMD site and sees that the hash check differs between the two versions, so it updates to the 1.4.2 version:

maldet(6069): {update} version check shows latest but hash check failed, forcing update...

I like the new separate customizable "custom.hex.dat" and "custom.md5.dat" features on Maldet 1.5 so I'm trying to stick to this version.

Is there any way around this issue?

Thank you.

Hi Ryan,

First of all, great job on developing the software that helps many shared host services as well as developers concerned with servers which deal with various types of files.

I write PHP scripts and publish them and it seems your software Linux Malware Detect v1.4.2 flags some of my work as malware.

It is a part of the program named Admin Page Framework and it includes a minified version that compresses the entire project files into one file.

{HEX}php.nested.jpexp.531 : admin-page-framework/library/admin-page-framework.min.php

(file)

Also the file based on it for a different WordPress plugin named Fetch Tweets gets flagged as malware as well. (file)

It seems code that contains the following string (and a pattern behind it which I do not know) gets a false positive.

']; $GLOBALS['some_characters_admin

I think it is a common variable name combination and should be avoided from being flagged.

If there is a reason that my programs got targeted as malware, I'd like to know the reasons. If not, could you update the definitions not to flag them as malware?

Thank you.

hits.alltime only tracking hits if scan_clamscan=1