Install Maldet cPanel Server

Login to cPanel server via SSH as the root user.

Execute the below commands:

# cd /usr/local/src/
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz
# cd maldetect-*
# sh ./install.sh

Output install.sh script

Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@r-fx.org>
            (C) 2016, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(2784): {sigup} performing signature update check...
maldet(2784): {sigup} local signature set is version 2016063011816
maldet(2784): {sigup} new signature set (2016063019179) available
maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(2784): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(2784): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(2784): {sigup} verified md5sum of maldet-clean.tgz
maldet(2784): {sigup} unpacked and installed maldet-clean.tgz
maldet(2784): {sigup} signature set update completed
maldet(2784): {sigup} 10904 signatures (8987 MD5 / 1917 HEX / 0 USER)

Remove unused gzipped tar file

# rm /usr/local/src/maldetect-current.tar.gz

You can run a Linux Malware Detect scan now, it would run with no problem. However, it would not include ClamAV’s definitions, if you not before installed ClamAV scanner. Maldet without installed ClamAV slowing down the scan completion time. Also threat detection ratio is low without malware expert signatures.

Updating the application

Manually update maldet

# maldet -d
# maldet -u

Configuring Linux Malware Detect (Maldet)

By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.

Open file /usr/local/maldetect/conf.maldet and make changes according to your needs

# nano /usr/local/maldetect/conf.maldet
  1. email_alert : If you would like to receive email alerts, then it should be set to 1.
  2. email_addr : Add your email address to receive malware alerts.
  3. quarantine_hits : The default quarantine action for malware hits, it should be set 0.
  4. quarantine_clean : Cleaning detected malware injections, it should be set 0.
  5. quarantine_suspend_user : The default suspend action for users wih hits, set it as per your requirements.
  6. quarantine_suspend_user_minuid : Minimum userid that can be suspended.

Running full malware scan user home directories

First i suggest full scan user home directories to detect and clean malware:

The Bellow command will scan all files and directories within the /home directory, which is where the content for cPanel accounts is stored.

# maldet -a /home/?

Later you can only scan example all .php files. Command Below:

#maldet --include-regex ".*.php$" -a /home/?/public_html

Below is a sample output of what you should see:

root@server [~]# maldet -a /home/?
Linux Malware Detect v1.5.0
            (C) 2002-2013, R-fx Networks <proj@r-fx.org>
            (C) 2013, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(15196): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX)
maldet(15196): {scan} building file list for /home/*, this might take awhile...
maldet(15196): {scan} file list completed, found 1124974 files...
maldet(15196): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(15196): {scan} scan of /home/* (1124974 files) in progress...

maldet(15196): {scan} scan completed on /home/*: files 1124974, malware hits 0, cleaned hits 0
maldet(15196): {scan} scan report saved, to view run: maldet --report 013344-1347.5196
root@server [~]#