Site icon Saksenengku Network

Install Linux Malware Detect & ClamAV on Debian

saksenengku

Linux Malware Detect (LMD)

LMD (Linux Malware Detect) adalah pendeteksi malware open source untuk sistem operasi Linux. LMD dirancang khusus untuk lingkungan hosting terutama bagi pengguna VPS Hosting standalone bersama untuk mendeteksi dan menghapus ancaman Malware.

Bagi pengguna Debian/ubuntu, LMD tidak tersedia di repositori dasar sebagai paket yang dibuat sebelumnya, tetapi Anda bisa mendapatkan LMD sebagai tarball dari situs web proyek resmi.

Unduh versi terbaru LMD di link Official berikut:
Linux Malware Detect Ver (v1.6.2) merupakan versi yang terbaru

Berikut langkah Instalasinya (Lebih baik menggunakan root access)

1. Download package dengan curl:

root@saksenengku:~# cd /tmp/
root@saksenengku:/tmp# curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1512k  100 1512k    0     0  2302k      0 --:--:-- --:--:-- --:--:-- 2306k

2. Unpack tarball file

root@saksenengku:/tmp# tar -zxvf maldetect-current.tar.gz
root@saksenengku:/tmp# cd maldetect-1.6.2/
root@saksenengku:/tmp/maldetect-1.6.4# ./install.sh
Created symlink /etc/systemd/system/multi-user.target.wants/maldet.service → /usr/lib/systemd/system/maldet.service.
update-rc.d: error: unable to read /etc/init.d/maldet
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(5515): {sigup} performing signature update check...
maldet(5515): {sigup} local signature set is version 201907043616
maldet(5515): {sigup} new signature set 202111222873613 available
maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(5515): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(5515): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(5515): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(5515): {sigup} verified md5sum of maldet-clean.tgz
maldet(5515): {sigup} unpacked and installed maldet-clean.tgz
maldet(5515): {sigup} signature set update completed
maldet(5515): {sigup} 17258 signatures (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)

3. Konfigurasi Maldet
Konfigurasi menggunakan vi atau nano

root@saksenengku:~# vi /usr/local/maldetect/conf.maldet
# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="you@domain.com"

# Use with ClamAV
scan_clamscan="1"

# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Disamping menggunakan Maldet, anda bisa mix juga dengan menggunakan ClamAV dengan Instalasi sbb:

root@saksenengku:~# apt-get -y install clamav clamav-daemon clamdscan

Secara Default ClamAV dengan LMD sudah aktiv

Untuk manual Scan menggunakan Opsi sbb:

root@saksenengku:~# clamscan -i -r ~/

4. Update & check signature Linux VPS anda dengan LMD

root@saksenengku:~# maldet -d
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7703): {update} checking for available updates...
maldet(7703): {update} hashing install files and checking against server...
maldet(7703): {update} latest version already installed.
root@saksenengku:~# maldet -u
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7843): {sigup} performing signature update check...
maldet(7843): {sigup} local signature set is version 202111222873613
maldet(7843): {sigup} latest signature set already installed.

5. Scanning Linux VPS anda dengan LMD
Commandnya sbb:
maldet -a [folder yang akan di scan]
Defaultnya maldet -a /tmp

Contoh berikut folder yg terkena malware

root@saksenengku:~# maldet -a /tmp
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8051): {scan} signatures loaded: 17258 (14436 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(8051): {scan} building file list for /tmp, this might take awhile...
maldet(8051): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(8051): {scan} file list completed in 0s, found 90 files...
maldet(8051): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(8051): {scan} scan of /tmp (90 files) in progress...
maldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/rfxn.yara.510915085 no longer exists.
maldet(8051): {scan} processing scan results for hits: 1 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.228613307 no longer exists.
maldet(8051): {scan} processing scan results for hits: 2 hits 0 cleanedmaldet(8051): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982 no longer exists.
maldet(8051): {scan} processing scan results for hits: 3 hits 0 cleaned
maldet(8051): {scan} scan completed on /tmp: files 90, malware hits 3, cleaned hits 0, time 1s
maldet(8051): {scan} scan report saved, to view run: maldet --report 211125-1101.8051

Ulangi lagi Scanning nya sampai semua benar-benar clean tidak ada malware hit

maldet(8580): {scan} scan completed on /tmp: files 84, malware hits 0, cleaned hits 0, time 1s
maldet(8580): {scan} scan report saved, to view run: maldet --report 211125-1103.8580

Menampilkan Report yang terkena malware sbb:

root@saksenengku:~# maldet --report 211125-1101.8051
HOST:      saksenengku.com
SCAN ID:   211125-1101.8051
STARTED:   Nov 25 2021 11:01:05 +0700
COMPLETED: Nov 25 2021 11:01:06 +0700
ELAPSED:   1s [find: 0s]

PATH:          /tmp
TOTAL FILES:   90
TOTAL HITS:    3
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara => /usr/local/maldetect/quarantine/rfxn.yara.510915085
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed => /usr/local/maldetect/quarantine/gzbase64.inject.unc$
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-current.tar.gz => /usr/local/maldetect/quarantine/maldetect-current.tar.gz.2215023982
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

Semoga Artikel ini berguna & membantu teman-teman yang menggunakan VPS Linux khususnya yang terkena serangan Malware

Salam

Saksenengku Network

Exit mobile version