Install Linux Malware Detect & ClamAV on Debian

root@saksenengku:~# cd /tmp/ root@saksenengku:/tmp# curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1512k 100 1512k 0 0 2302k 0 --:--:-- --:--:-- --:--:-- 2306k

root@saksenengku:/tmp# tar -zxvf maldetect-current.tar.gz root@saksenengku:/tmp# cd maldetect-1.6.2/ root@saksenengku:/tmp/maldetect-1.6.4# ./install.sh Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service. update-rc.d: error: unable to read /etc/init.d/maldet Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@r-fx.org> (C) 2019, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(5515): {sigup} performing signature update check... maldet(5515): {sigup} local signature set is version 201907043616 maldet(5515): {sigup} new signature set 202111222873613 available maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(5515): {sigup} verified md5sum of maldet-sigpack.tgz maldet(5515): {sigup} unpacked and installed maldet-sigpack.tgz maldet(5515): {sigup} verified md5sum of maldet-clean.tgz maldet(5515): {sigup} unpacked and installed maldet-clean.tgz maldet(5515): {sigup} signature set update completed maldet(5515): {sigup} 17258 signatures (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)

# Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="you@domain.com" # Use with ClamAV scan_clamscan="1" # Enable scanning for root-owned files. Set 1 to disable. scan_ignore_root="0" # Move threats to quarantine quarantine_hits="1" # Clean string based malware injections quarantine_clean="1" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500"

root@saksenengku:~# maldet -d Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@rfxn.com> (C) 2019, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(7703): {update} checking for available updates... maldet(7703): {update} hashing install files and checking against server... maldet(7703): {update} latest version already installed.

root@saksenengku:~# maldet -u Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@rfxn.com> (C) 2019, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(7843): {sigup} performing signature update check... maldet(7843): {sigup} local signature set is version 202111222873613 maldet(7843): {sigup} latest signature set already installed.

root@saksenengku:~# maldet -a /tmp Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks <proj@rfxn.com> (C) 2019, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(8051): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER) maldet(8051): {scan} building file list for /tmp, this might take awhile... maldet(8051): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(8051): {scan} file list completed in 0s, found 90 files... maldet(8051): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine... maldet(8051): {scan} scan of /tmp (90 files) in progress... maldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/rfxn.yara.510915085 no longer exists. maldet(8051): {scan} processing scan results for hits: 1 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.228613307 no longer exists. maldet(8051): {scan} processing scan results for hits: 2 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982 no longer exists. maldet(8051): {scan} processing scan results for hits: 3 hits 0 cleaned maldet(8051): {scan} scan completed on /tmp: files 90, malware hits 3, cleaned hits 0, time 1s maldet(8051): {scan} scan report saved, to view run: maldet --report 211125-1101.8051

root@saksenengku:~# maldet --report 211125-1101.8051 HOST: saksenengku.com SCAN ID: 211125-1101.8051 STARTED: Nov 25 2021 11:01:05 +0700 COMPLETED: Nov 25 2021 11:01:06 +0700 ELAPSED: 1s [find: 0s] PATH: /tmp TOTAL FILES: 90 TOTAL HITS: 3 TOTAL CLEANED: 0 FILE HIT LIST: {HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara => /usr/local/maldetect/quarantine/rfxn.yara.510915085 {HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed => /usr/local/maldetect/quarantine/gzbase64.inject.unc$ {HEX}php.gzbase64.inject.452 : /tmp/maldetect-current.tar.gz => /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982 =============================================== Linux Malware Detect v1.6.4 < proj@rfxn.com >

LMD (Linux Malware Detect) adalah pendeteksi malware open source untuk sistem operasi Linux. LMD dirancang khusus untuk lingkungan hosting terutama bagi pengguna VPS Hosting standalone bersama untuk mendeteksi dan menghapus ancaman Malware.

Bagi pengguna Debian/ubuntu, LMD tidak tersedia di repositori dasar sebagai paket yang dibuat sebelumnya, tetapi Anda bisa mendapatkan LMD sebagai tarball dari situs web proyek resmi.

Unduh versi terbaru LMD di link Official berikut:
Linux Malware Detect Ver (v1.6.2) merupakan versi yang terbaru

Berikut langkah Instalasinya (Lebih baik menggunakan root access)

1. Download package dengan curl:

root@saksenengku:~# cd /tmp/
root@saksenengku:/tmp# curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1512k  100 1512k    0     0  2302k      0 --:--:-- --:--:-- --:--:-- 2306k

2. Unpack tarball file

root@saksenengku:/tmp# tar -zxvf maldetect-current.tar.gz
root@saksenengku:/tmp# cd maldetect-1.6.2/
root@saksenengku:/tmp/maldetect-1.6.4# ./install.sh
Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service.
update-rc.d: error: unable to read /etc/init.d/maldet
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(5515): {sigup} performing signature update check...
maldet(5515): {sigup} local signature set is version 201907043616
maldet(5515): {sigup} new signature set 202111222873613 available
maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(5515): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(5515): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(5515): {sigup} verified md5sum of maldet-clean.tgz
maldet(5515): {sigup} unpacked and installed maldet-clean.tgz
maldet(5515): {sigup} signature set update completed
maldet(5515): {sigup} 17258 signatures (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)

3. Konfigurasi Maldet
Konfigurasi menggunakan vi atau nano

root@saksenengku:~# vi /usr/local/maldetect/conf.maldet

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="you@domain.com"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Disamping menggunakan Maldet, anda bisa mix juga dengan menggunakan ClamAV dengan Instalasi sbb:

root@saksenengku:~# apt-get -y install clamav clamav-daemon clamdscan

Secara Default ClamAV dengan LMD sudah aktiv

Untuk manual Scan menggunakan Opsi sbb:

root@saksenengku:~# clamscan -i -r ~/

4. Update & check signature Linux VPS anda dengan LMD

root@saksenengku:~# maldet -d
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7703): {update} checking for available updates...
maldet(7703): {update} hashing install files and checking against server...
maldet(7703): {update} latest version already installed.

root@saksenengku:~# maldet -u
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7843): {sigup} performing signature update check...
maldet(7843): {sigup} local signature set is version 202111222873613
maldet(7843): {sigup} latest signature set already installed.

5. Scanning Linux VPS anda dengan LMD
Commandnya sbb:
maldet -a [folder yang akan di scan]
Defaultnya maldet -a /tmp

Contoh berikut folder yg terkena malware

root@saksenengku:~# maldet -a /tmp
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8051): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(8051): {scan} building file list for /tmp, this might take awhile...
maldet(8051): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(8051): {scan} file list completed in 0s, found 90 files...
maldet(8051): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(8051): {scan} scan of /tmp (90 files) in progress...
maldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/rfxn.yara.510915085 no longer exists.
maldet(8051): {scan} processing scan results for hits: 1 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.228613307 no longer exists.
maldet(8051): {scan} processing scan results for hits: 2 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982 no longer exists.
maldet(8051): {scan} processing scan results for hits: 3 hits 0 cleaned
maldet(8051): {scan} scan completed on /tmp: files 90, malware hits 3, cleaned hits 0, time 1s
maldet(8051): {scan} scan report saved, to view run: maldet --report 211125-1101.8051

Ulangi lagi Scanning nya sampai semua benar-benar clean tidak ada malware hit

maldet(8580): {scan} scan completed on /tmp: files 84, malware hits 0, cleaned hits 0, time 1s
maldet(8580): {scan} scan report saved, to view run: maldet --report 211125-1103.8580

Menampilkan Report yang terkena malware sbb:

root@saksenengku:~# maldet --report 211125-1101.8051
HOST:      saksenengku.com
SCAN ID:   211125-1101.8051
STARTED:   Nov 25 2021 11:01:05 +0700
COMPLETED: Nov 25 2021 11:01:06 +0700
ELAPSED:   1s [find: 0s]

PATH:          /tmp
TOTAL FILES:   90
TOTAL HITS:    3
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara => /usr/local/maldetect/quarantine/rfxn.yara.510915085
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed => /usr/local/maldetect/quarantine/gzbase64.inject.unc$
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-current.tar.gz => /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

Semoga Artikel ini berguna & membantu teman-teman yang menggunakan VPS Linux khususnya yang terkena serangan Malware

Salam

Saksenengku Network

Install Linux Malware Detect & ClamAV on Debian

Artikel Terkait

Cara Menghapus Browser Hijacker SearchMine Dari Mac Anda

Google Melindungi Pengaturan Gmail Sensitif Dengan Multi-Faktor

Black Hat 2023: Menggali Kecerdasan Buatan dan Keamanan Siber

Sepertiga dari 12 Kerentanan yang Dieksploitasi Berada di Produk Microsoft

Apa itu Hashing? Cara kerja, Jenis, dan Pengaplikasiannya

Populer

Cara Upgrade Debian 11 “Bullseye” ke Debian 12 “Bookworm”

Cara Mudah Uninstall MariaDB di Ubuntu dan Debian

Google akan mematikan Layanan Gmail versi HTML Dasar pada Januari 2024

Apa Itu ATM Bitcoin dan Kapan Sebaiknya Menggunakannya?

Artikel Terbaru

Mengapa Laptop Windows Tidak Bisa Menggantikan MacBook

Memainkan Game Epic Store di Steam Deck Lebih Mudah

Apa Itu ATM Bitcoin dan Kapan Sebaiknya Menggunakannya?

Google akan mematikan Layanan Gmail versi HTML Dasar pada Januari 2024

Tentang Kami

Popular Kategori