What is Linux Malware Detect? Also, know as LMD or maldet

0
Shares
0
0
0
0
0
0
Table of Contents
  1. Background on Linux Malware Detect, LMD or Maldet
  2. Common Maldet Tasks
    1. Running a Maldet Scan
    2. Viewing Scan Reports
    3. Updating Maldet and Definitions
    4. Quarantine Detected Threats
    5. Configuring Maldet
  3. Example Scan
  4. Maldet Coverage for Malware
  5. Change Log

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

So you might be here because you either searched Google for maldet or you’re a GridPane customer looking to get more information about maldet and what it does.

Background on Linux Malware Detect, LMD or Maldet

I’ve always known about maldet, but never got the opportunity to use it. I’ve always searched and cleaned manually via SSH using tcsh/zsh shell. It took time, but also added a human element to it where I could see things a scanning engine couldn’t.

There are alternatives to maldet that you can check out.

Common Maldet Tasks

Running a Maldet Scan

To run a Maldet scan on a specific directory, you can use the following command, replacing /path/to/directory with the actual path of the directory you want to scan

maldet --scan-all /path/to/directory

If you want to scan your entire system, you can replace /path/to/directory with /.

Viewing Scan Reports

After the scan completes, Maldet will provide a report ID. You can view the detailed report of the scan results with the following command, replacing report_id with the actual report ID provided:

maldet --report report_id

    Updating Maldet and Definitions

    It’s important to keep Maldet and its malware definitions updated. You can update Maldet and its signatures using the following command 

    maldet -u maldet -d

    Quarantine Detected Threats

    If Maldet finds any threats, you can opt to quarantine them. Maldet may automatically suggest this, or you can manually quarantine files by using the -q flag followed by the report ID:

    maldet -q report_id

    Configuring Maldet

    Maldet can be configured to suit your needs. Its configuration file is usually located at /usr/local/maldetect/conf.maldet or /etc/maldetect/maldet.conf, depending on your installation. You can edit this file to change various settings, such as email notifications, quarantine options, and scan options.

        Example Scan

        The following is a recent scan done on July 13th 2021, I’ve removed the server name and full paths to the malware for privacy concerns.

        Scanning /var/www/ all sites with -maldet-scan
Scanning everything, this might take some time
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(6737): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(6737): {scan} building file list for /, this might take awhile...
maldet(6737): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(6737): {scan} file list completed in 47s, found 801291 files...
maldet(6737): {scan} scan of / (801291 files) in progress...
maldet(6737): {scan} 801291/801291 files scanned: 4 hits 0 cleaned

maldet(6737): {scan} scan completed on /: files 801291, malware hits 4, cleaned hits 0, time 90992s
maldet(6737): {scan} scan report saved, to view run: maldet --report 210713-0904.6737
maldet(6737): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 210713-0904.6737
report - HOST:      
SCAN ID:   210713-0904.6737
STARTED:   Jul 13 2021 09:04:29 -0700
COMPLETED: Jul 14 2021 10:21:01 -0700
ELAPSED:   90992s [find: 47s]

PATH:          /
TOTAL FILES:   801291
TOTAL HITS:    4
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 210713-0904.6737

FILE HIT LIST:
{HEX}php.malware.magento.598 : wp-content/themes/azul/404.php
{HEX}php.nested.base64.648 : wp-content/plugins/wp-page-numbers/stylish/img/pogey.php
{HEX}php.malware.magento.598 : wp-content/themes/azul/404.php
{HEX}php.nested.base64.648 : wp-content/plugins/wp-page-numbers/stylish/img/pogey.php

        Maldet Coverage for Malware

        As with any malware tool, coverage will vary, maldet doesn’t have full 100% coverage and most scanners wont. I’d say Maldet has 80% coverage of malware, detecting malware older than a year, but that’s creeping into 1.5 years now.

        Change Log

        • 03-27-2024 – Took out of draft, added some common tasks for maldet and maldet coverage for malware. Added wordfence-cli and rootkithunter.
        0 Shares:
        Share 0
        Tweet 0
        Share 0
        Share 0
        Share 0

        Author

        Jordan Trask

        With 20 years experience in technology spanning from Linux, Data Center Infrastructure and related services and applications. Jordan consults with small, medium and large organizations tackling problems and technology needs. With 10 years experience in WordPress, he’s created Managing WP as a means to dump his brain on the web.

        Jordan operates LMT Solutions providing Technology Consulting Services and We Power WP for WordPress Care Plans and Support.

        Join our Newsletter


        — Previous article

        Cloudways Support Experiences from Facebook

        Next article —

        Cyberpanel Cheatsheet

        You May Also Like