Linux Malware Detect adalah aplikasi yang dipakai untuk mencari malware di dalam server anda. Fitur yang ada pada aplikasi ini adalah
Features:
– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions
Pada versi 1.4.1 LMD dapat mengenali
KNOWN MALWARE: 1029
% AV DETECT (AVG): 48
% AV DETECT (LOW): 58
% AV DETECT (HIGH): 80
UNKNOWN MALWARE: 4364
Contoh malware yang dikenali seperti
base64.inject.unclassed bin.dccserv.irsexxy bin.fakeproc.Xnuxer
bin.ircbot.nbot bin.ircbot.php3 bin.ircbot.unclassed
bin.pktflood.ABC123 bin.pktflood.osf bin.trojan.linuxsmalli
c.ircbot.tsunami exp.linux.rstb exp.linux.unclassed
exp.setuid0.unclassed gzbase64.inject html.phishing.auc61
html.phishing.hsbc perl.connback.DataCha0s perl.connback.N2
perl.cpanel.cpwrap perl.mailer.yellsoft perl.ircbot.atrixteam
perl.ircbot.bRuNo perl.ircbot.Clx perl.ircbot.devil
perl.ircbot.fx29 perl.ircbot.magnum perl.ircbot.oldwolf
perl.ircbot.putr4XtReme perl.ircbot.rafflesia perl.ircbot.UberCracker
perl.ircbot.xdh perl.ircbot.xscan perl.shell.cbLorD
perl.shell.cgitelnet php.cmdshell.c100 php.cmdshell.c99
php.cmdshell.cih php.cmdshell.egyspider php.cmdshell.fx29
php.cmdshell.ItsmYarD php.cmdshell.Ketemu php.cmdshell.N3tshell
php.cmdshell.r57 php.cmdshell.unclassed php.defash.buno
php.exe.globals php.include.remote php.ircbot.InsideTeam
php.ircbot.lolwut php.ircbot.sniper php.ircbot.vj_denie
php.mailer.10hack php.mailer.bombam php.mailer.PostMan
php.phishing.AliKay php.phishing.mrbrain php.phishing.ReZulT
php.pktflood.oey php.shell.rc99 php.shell.shellcomm
root@gudeg [/opt]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz --03:00:31-- http://www.rfxn.com/downloads/maldetect-current.tar.gz => `maldetect-current.tar.gz' Resolving www.rfxn.com... 174.36.214.91 Connecting to www.rfxn.com|174.36.214.91|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 793,126 (775K) [application/x-gzip] 100%[====================================>] 793,126 1.38M/s 03:00:32 (1.38 MB/s) - `maldetect-current.tar.gz' saved [793126/793126] root@gudeg [/opt]# tar -zxvf maldetect-current.tar.gz maldetect-1.4.1/ maldetect-1.4.1/README maldetect-1.4.1/files/ maldetect-1.4.1/files/quarantine/ maldetect-1.4.1/files/ignore_sigs maldetect-1.4.1/files/inotify/ maldetect-1.4.1/files/inotify/libinotifytools.so.0 maldetect-1.4.1/files/inotify/tlog maldetect-1.4.1/files/inotify/inotifywait maldetect-1.4.1/files/clean/ maldetect-1.4.1/files/clean/gzbase64.inject.unclassed maldetect-1.4.1/files/clean/base64.inject.unclassed maldetect-1.4.1/files/maldet maldetect-1.4.1/files/VERSION.hash maldetect-1.4.1/files/tmp/ maldetect-1.4.1/files/ignore_paths maldetect-1.4.1/files/modsec.sh maldetect-1.4.1/files/sess/ maldetect-1.4.1/files/hexstring.pl maldetect-1.4.1/files/internals.conf maldetect-1.4.1/files/ignore_inotify maldetect-1.4.1/files/pub/ maldetect-1.4.1/files/ignore_file_ext maldetect-1.4.1/files/sigs/ maldetect-1.4.1/files/sigs/hex.dat maldetect-1.4.1/files/sigs/maldet.sigs.ver maldetect-1.4.1/files/sigs/rfxn.hdb maldetect-1.4.1/files/sigs/rfxn.ndb maldetect-1.4.1/files/sigs/md5.dat maldetect-1.4.1/files/hexfifo.pl maldetect-1.4.1/files/conf.maldet maldetect-1.4.1/.ca.def maldetect-1.4.1/cron.d.pub maldetect-1.4.1/CHANGELOG maldetect-1.4.1/install.sh maldetect-1.4.1/COPYING.GPL maldetect-1.4.1/cron.daily root@gudeg [/opt]# cd maldetect-1.4.1/ root@gudeg [/opt/maldetect-1.4.1]# ls ./ .ca.def COPYING.GPL cron.d.pub install.sh* ../ CHANGELOG cron.daily* files/ README root@gudeg [/opt/maldetect-1.4.1]# ./install.sh Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks <proj@r-fx.org> (C) 2011, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(28813): {sigup} performing signature update check... maldet(28813): {sigup} local signature set is version 2011122411659 maldet(28813): {sigup} latest signature set already installed root@gudeg [/opt/maldetect-1.4.1]#
Uji Coba
root@gudeg [/home/test/www]# maldet -a . Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks <proj@r-fx.org> (C) 2011, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(4797): {scan} signatures loaded: 8707 (6843 MD5 / 1864 HEX) maldet(4797): {scan} building file list for ., this might take awhile... maldet(4797): {scan} file list completed, found 29 files... maldet(4797): {scan} found ClamAV clamscan binary, using as scanner engine... maldet(4797): {scan} scan of . (29 files) in progress... maldet(4797): {scan} processing scan results for hits: 2 hits 0 cleaned maldet(4797): {scan} scan completed on .: files 29, malware hits 2, cleaned hits 0 maldet(4797): {scan} scan report saved, to view run: maldet --report 122511-0326.4797 maldet(4797): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 122511-0326.4797 root@gudeg [/home/test//www]# maldet --report 122511-0326.4797 SCAN ID: 122511-0326.4797 TIME: Dec 25 03:26:13 -0600 PATH: . TOTAL FILES: 29 TOTAL HITS: 2 TOTAL CLEANED: 0 NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine r$ FILE HIT LIST: {HEX}gzbase64.inject.unclassed.18 : ./b374k.php {HEX}php.cmdshell.r57.313 : ./paijo.php =============================================== Linux Malware Detect v1.4.1 < proj@rfxn.com >
sumber: http://www.rfxn.com/appdocs/README.maldetect
wah ternyata linux sudah ada malware yah ..
dah dari dulu.
menggunakan ClamAV juga to…
optional kang. klo ada clamav, bisa diset clamav buat scanner enginenya tapi signature tetep dari lmd. jadinya scanningnya bisa 4 kali lebih cepat
kadang false positive klo nemu base64 😀
artinya kalo pake ClamAV jd lebih lambat?
itu caranya config buat clamaav gmn kang mas?
lebih cepat karena pakai engine clamav. coba cek di readmenya.
pada /usr/local/maldetect/conf.maldet cari baris clamav_scan=0 lalu diganti jadi clamav_scan=1
trims triknya 🙂