How to detect malware on Linux with LMD

Last updated on December 8, 2020 by Dan Nanni

If you are running a mission-critical web server, or managing shared hosting environments on Linux, chances are that you constantly watch out for potential threats from Linux malware such as viruses, trojans, rootkits and worms. While staying up-to-date with the latest server hardening guides is a must to prevent any future attack, you may wish to add malware detection tools to your arsenal for extra security.

Linux Malware Detect (LMD) is a free and open-source malware scanning tool for Linux. In this guide, I will show you how to install and configure LMD to scan for malware on your Linux system.

Install LMD on Linux

In order to install LMD on Linux, run the following commands.

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar xvfvz maldetect-current.tar.gz
$ cd maldetect-1.4.2
$ sudo ./install.sh
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks 
            (C) 2011, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(6073): {sigup} performing signature update check...
maldet(6073): {sigup} local signature set is version 201205035915
maldet(6073): {sigup} new signature set (2013031328301) available
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(6073): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(6073): {sigup} signature set update completed
maldet(6073): {sigup} 10849 signatures (8981 MD5 / 1868 HEX)

After installation, a daily cron job is added in /etc/cron.daily/maldet, which checks for the latest version of LMD and malware definition/signature files, and update them automatically. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware.

Scan a Linux System for Malware with LMD

To initiate malware scanning manually, run maldet with a target folder to scan.

$ sudo maldet --scan-all /home
maldet(27752): {scan} signatures loaded: 10849 (8981 MD5 / 1868 HEX)
maldet(27752): {scan} building file list for /home, this might take awhile...
maldet(27752): {scan} file list completed, found 20586 files...
maldet(27752): {scan} 20586/20586 files scanned: 1 hits 0 cleaned
maldet(27752): {scan} scan completed on /home: files 20586, malware hits 1, cleaned hits 0
maldet(27752): {scan} scan report saved, to view run: maldet --report 032813-1606.27752
maldet(27752): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 032813-1606.27752

After scanning, you can examine malware scan report by running the following command with the scan report ID.

$ sudo maldet --report 032813-1606.27752
malware detect scan report for my_host:
SCAN ID: 032813-1606.27752
TIME: Mar 28 16:33:36 -0700
PATH: /home
TOTAL FILES: 20586
TOTAL HITS: 1
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 032813-1606.27752
FILE HIT LIST:
{MD5}gzbase64.inject.unclassed.1110 : /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed
===============================================
Linux Malware Detect v1.4.2 < [email protected] >

Protect a Linux System with Malware Scanning

To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.

$ sudo maldet -q 032813-1606.27752
maldet(14738): {quar} malware quarantined from '/home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.10045'
maldet(14738): {clean} restoring /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.10045 for cleaning attempt
maldet(14738): {clean} trying to clean /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed with gzbase64.inject.unclassed rule
maldet(14738): {clean} rescanning /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed for malware hits
maldet(14738): {clean} clean successful on /home/xmodulo/maldetect-1.4.2/files/clean/gzbase64.inject.unclassed

If you want to actively monitor specific directories for malware infection, you can run maldet as a daemon as follows.

$ sudo maldet -m /var,/home/xmodulo
maldet(5330): {mon} set inotify max_user_instances to 128
maldet(5330): {mon} set inotify max_user_watches to 61440
maldet(5330): {mon} added /var to inotify monitoring array
maldet(5330): {mon} added /home/xmodulo to inotify monitoring array
maldet(5330): {mon} starting inotify process on 1 paths, this might take awhile...
maldet(5330): {mon} inotify startup successful (pid: 5409)
maldet(5330): {mon} inotify monitoring log: /usr/local/maldetect/inotify/inotify_log

If you want to have maldet alert you on detected malware by email, you can modify maldet configuration as follows. For email notification, you need to set up a mail server using either Postfix or sendmail on your system.

$ sudo vi /usr/local/maldetect/conf.maldet
email_alert=1
email_subj="Malware detected by maldet"
email_addr="[email protected]"

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (BTC Wallet: 1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Xmodulo © 2020 ‒ About ‒ Powered by DigitalOcean