Linux Malware Detect (LMD) in RHEL, CentOS 6.x and Fedora 16/17/18

Let’s use the same definition of rfxn, Linux Malware Detect (LMD) is a malware scanner for Linux, released under the GNU GPLv2 License. It is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

This is my test system information:

[root@Centos ~]# cat /etc/issue
 CentOS release 6.4 (Final) Kernel \r on an \m

[root@Centos ~]# uname -a
 Linux Centos 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Download the latest version:

[root@Centos ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

--2013-04-23 23:34:27-- http://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com... 129.121.132.46 Connecting to www.rfxn.com|129.121.132.46|:80... connected.
HTTP request sent, awaiting response... 200 OK Length: 811434 (792K) [application/x-gzip]
Saving to: maldetect-current.tar.gz

Extract and begin installation:

[root@Centos ~]# tar -zxvf maldetect-current.tar.gz
[root@Centos ~]# cd maldetect-1.4.2/
[root@Centos maldetect-1.4.2]# ./install.sh 
Linux Malware Detect v1.4.1
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1488): {sigup} performing signature update check...
maldet(1488): {sigup} local signature set is version 201205035915
maldet(1488): {sigup} new signature set (2013041816820) available
maldet(1488): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(1488): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(1488): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(1488): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(1488): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(1488): {sigup} signature set update completed
maldet(1488): {sigup} 11203 signatures (9335 MD5 / 1868 HEX)

The location of the config file:

/usr/local/maldetect/conf.maldet

Scan your own web directory:

[root@Centos maldetect-1.4.2]# maldet --scan-all /var/www/
Linux Malware Detect v1.4.2
(C) 2002-2013, R-fx Networks <proj@r-fx.org>
(C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(1636): {scan} signatures loaded: 11203 (9335 MD5 / 1868 HEX)
maldet(1636): {scan} building file list for /var/www/, this might take awhile...
maldet(1636): {scan} file list completed, found 5389 files...

The scan will take some time and will generate a report. So please check the log report if any malware is found.