What is Linux Malware Detect? Also, know as LMD or maldet

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Draft Warning

You’ve reached a draft 🤷‍♂️ and unfortunately, it’s a work in progress.

So you might be here because you either searched Google for maldet or you’re a GridPane customer looking to get more information about maldet and what it does.

Background on Linux Malware Detect, LMD or Maldet

I’ve always known about maldet, but never got the opportunity to use it. I’ve always searched and cleaned manually via SSH using tcsh/zsh shell. It took time, but also added a human element to it where I could see things a scanning engine couldn’t.

There are alternatives to maldet that you can check out.

Running a scan!

(How to run an example)

Example Scan

The following is a recent scan done on July 13th 2021, I’ve removed the server name and full paths to the malware for privacy concerns.

Scanning /var/www/ all sites with -maldet-scan
Scanning everything, this might take some time
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(6737): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(6737): {scan} building file list for /, this might take awhile...
maldet(6737): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(6737): {scan} file list completed in 47s, found 801291 files...
maldet(6737): {scan} scan of / (801291 files) in progress...
maldet(6737): {scan} 801291/801291 files scanned: 4 hits 0 cleaned

maldet(6737): {scan} scan completed on /: files 801291, malware hits 4, cleaned hits 0, time 90992s
maldet(6737): {scan} scan report saved, to view run: maldet --report 210713-0904.6737
maldet(6737): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 210713-0904.6737
report - HOST:      
SCAN ID:   210713-0904.6737
STARTED:   Jul 13 2021 09:04:29 -0700
COMPLETED: Jul 14 2021 10:21:01 -0700
ELAPSED:   90992s [find: 47s]

PATH:          /
TOTAL FILES:   801291

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 210713-0904.6737

{HEX}php.malware.magento.598 : wp-content/themes/azul/404.php
{HEX}php.nested.base64.648 : wp-content/plugins/wp-page-numbers/stylish/img/pogey.php
{HEX}php.malware.magento.598 : wp-content/themes/azul/404.php
{HEX}php.nested.base64.648 : wp-content/plugins/wp-page-numbers/stylish/img/pogey.php      

You May Also Like