Login to cPanel server via SSH as the root user.
Execute the below commands:
# cd /usr/local/src/ # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -xzf maldetect-current.tar.gz # cd maldetect-* # sh ./install.sh
Output install.sh script
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service. Linux Malware Detect v1.5 (C) 2002-2016, R-fx Networks <proj@r-fx.org> (C) 2016, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(2784): {sigup} performing signature update check... maldet(2784): {sigup} local signature set is version 2016063011816 maldet(2784): {sigup} new signature set (2016063019179) available maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(2784): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(2784): {sigup} verified md5sum of maldet-sigpack.tgz maldet(2784): {sigup} unpacked and installed maldet-sigpack.tgz maldet(2784): {sigup} verified md5sum of maldet-clean.tgz maldet(2784): {sigup} unpacked and installed maldet-clean.tgz maldet(2784): {sigup} signature set update completed maldet(2784): {sigup} 10904 signatures (8987 MD5 / 1917 HEX / 0 USER)
Remove unused gzipped tar file
# rm /usr/local/src/maldetect-current.tar.gz
You can run a Linux Malware Detect scan now, it would run with no problem. However, it would not include ClamAV’s definitions, if you not before installed ClamAV scanner. Maldet without installed ClamAV slowing down the scan completion time. Also threat detection ratio is low without malware expert signatures.
Updating the application
Manually update maldet
# maldet -d # maldet -u
Configuring Linux Malware Detect (Maldet)
By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.
Open file /usr/local/maldetect/conf.maldet and make changes according to your needs
# nano /usr/local/maldetect/conf.maldet
- email_alert : If you would like to receive email alerts, then it should be set to 1.
- email_addr : Add your email address to receive malware alerts.
- quarantine_hits : The default quarantine action for malware hits, it should be set 0.
- quarantine_clean : Cleaning detected malware injections, it should be set 0.
- quarantine_suspend_user : The default suspend action for users wih hits, set it as per your requirements.
- quarantine_suspend_user_minuid : Minimum userid that can be suspended.
Running full malware scan user home directories
First i suggest full scan user home directories to detect and clean malware:
The Bellow command will scan all files and directories within the /home directory, which is where the content for cPanel accounts is stored.
# maldet -a /home/?
Later you can only scan example all .php files. Command Below:
#maldet --include-regex ".*.php$" -a /home/?/public_html
Below is a sample output of what you should see:
root@server [~]# maldet -a /home/?
Linux Malware Detect v1.5.0 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(15196): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX) maldet(15196): {scan} building file list for /home/*, this might take awhile... maldet(15196): {scan} file list completed, found 1124974 files... maldet(15196): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(15196): {scan} scan of /home/* (1124974 files) in progress... maldet(15196): {scan} scan completed on /home/*: files 1124974, malware hits 0, cleaned hits 0 maldet(15196): {scan} scan report saved, to view run: maldet --report 013344-1347.5196 root@server [~]#