Install Maldet Directadmin Server

by

Login to DirectAdmin server via SSH as the root user or sudo to get root access.

Execute the below commands:

# cd /usr/local/src/
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh

Output install.sh script

Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@r-fx.org>
            (C) 2016, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(2784): {sigup} performing signature update check...
maldet(2784): {sigup} local signature set is version 2016063011816
maldet(2784): {sigup} new signature set (2016063019179) available
maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(2784): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(2784): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(2784): {sigup} verified md5sum of maldet-clean.tgz
maldet(2784): {sigup} unpacked and installed maldet-clean.tgz
maldet(2784): {sigup} signature set update completed
maldet(2784): {sigup} 10904 signatures (8987 MD5 / 1917 HEX / 0 USER)

Remove unused gzipped tar file

# rm /usr/local/src/maldetect-current.tar.gz

You can run a Linux Malware Detect scan now, it would run with no problem. However, it would not include ClamAV’s definitions, if you not before installed clamav scanner. Maldet without installed clamav slowing down the scan completion time. Also php malware detection ratio is low without malware expert signatures.

Updating the application

Manually update maldet

# maldet -d
# maldet -u

Configuring Linux Malware Detect (Maldet)

By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.

Open file /usr/local/maldetect/conf.maldet and make changes according to your needs

# nano /usr/local/maldetect/conf.maldet
  1. email_alert : If you would like to receive email alerts, then it should be set to 1.
  2. email_addr : Add your email address to receive malware alerts.
  3. quarantine_hits : The default quarantine action for malware hits, it should be set 0.
  4. quarantine_clean : Cleaning detected malware injections, it should be set 0.
  5. quarantine_suspend_user : The default suspend action for users wih hits, set it as per your requirements.
  6. quarantine_suspend_user_minuid : Minimum userid that can be suspended.

Running full malware scan user home directories

First i suggest full scan user home directories to detect and clean malware:

The Bellow command will scan all files and directories within the /home directory, which is where the content for Directadmin accounts is stored. 

# maldet -a /home/?/domains/?/public_html

Later you can only scan example all .php files. Command Below:

#maldet --include-regex ".*.php$" -a /home/?/domains/?/public_html

Below is a sample output of what you should see:

root@server [~]# maldet -a /home/?/domains/?/public_html

Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(17421): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(17421): {scan} building file list for /home/*/domains/*/public_html, this might take awhile...
maldet(17421): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(17421): {scan} file list completed in 0s, found 5817 files...
maldet(17421): {scan} found clamav binary at /usr/local/bin/clamscan, using clamav scanner engine...
maldet(17421): {scan} scan of /home/*/domains/*/public_html (5817 files) in progress...


maldet(15196): {scan} scan completed on /home/*/domains/*/public_html: files 1124974, malware hits 0, cleaned hits 0
maldet(15196): {scan} scan report saved, to view run: maldet --report 013344-1347.5196
root@server [~]#

Malware Expert Signatures

You can also install Malware Expert Signatures to better php malware detection rate!

More info here