Hardening Server Dengan Linux Malware Detect (LMD)

Linux Malware Detect adalah aplikasi yang dipakai untuk mencari malware di dalam server anda. Fitur yang ada pada aplikasi ini adalah
Features:
– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions

Pada versi 1.4.1 LMD dapat mengenali
KNOWN MALWARE: 1029
% AV DETECT (AVG): 48
% AV DETECT (LOW): 58
% AV DETECT (HIGH): 80
UNKNOWN MALWARE: 4364

Contoh malware yang dikenali seperti
base64.inject.unclassed bin.dccserv.irsexxy bin.fakeproc.Xnuxer
bin.ircbot.nbot bin.ircbot.php3 bin.ircbot.unclassed
bin.pktflood.ABC123 bin.pktflood.osf bin.trojan.linuxsmalli
c.ircbot.tsunami exp.linux.rstb exp.linux.unclassed
exp.setuid0.unclassed gzbase64.inject html.phishing.auc61
html.phishing.hsbc perl.connback.DataCha0s perl.connback.N2
perl.cpanel.cpwrap perl.mailer.yellsoft perl.ircbot.atrixteam
perl.ircbot.bRuNo perl.ircbot.Clx perl.ircbot.devil
perl.ircbot.fx29 perl.ircbot.magnum perl.ircbot.oldwolf
perl.ircbot.putr4XtReme perl.ircbot.rafflesia perl.ircbot.UberCracker
perl.ircbot.xdh perl.ircbot.xscan perl.shell.cbLorD
perl.shell.cgitelnet php.cmdshell.c100 php.cmdshell.c99
php.cmdshell.cih php.cmdshell.egyspider php.cmdshell.fx29
php.cmdshell.ItsmYarD php.cmdshell.Ketemu php.cmdshell.N3tshell
php.cmdshell.r57 php.cmdshell.unclassed php.defash.buno
php.exe.globals php.include.remote php.ircbot.InsideTeam
php.ircbot.lolwut php.ircbot.sniper php.ircbot.vj_denie
php.mailer.10hack php.mailer.bombam php.mailer.PostMan
php.phishing.AliKay php.phishing.mrbrain php.phishing.ReZulT
php.pktflood.oey php.shell.rc99 php.shell.shellcomm

root@gudeg [/opt]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--03:00:31--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
           => `maldetect-current.tar.gz'
Resolving www.rfxn.com... 174.36.214.91
Connecting to www.rfxn.com|174.36.214.91|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 793,126 (775K) [application/x-gzip]

100%[====================================>] 793,126        1.38M/s             

03:00:32 (1.38 MB/s) - `maldetect-current.tar.gz' saved [793126/793126]

root@gudeg [/opt]# tar -zxvf maldetect-current.tar.gz 
maldetect-1.4.1/
maldetect-1.4.1/README
maldetect-1.4.1/files/
maldetect-1.4.1/files/quarantine/
maldetect-1.4.1/files/ignore_sigs
maldetect-1.4.1/files/inotify/
maldetect-1.4.1/files/inotify/libinotifytools.so.0
maldetect-1.4.1/files/inotify/tlog
maldetect-1.4.1/files/inotify/inotifywait
maldetect-1.4.1/files/clean/
maldetect-1.4.1/files/clean/gzbase64.inject.unclassed
maldetect-1.4.1/files/clean/base64.inject.unclassed
maldetect-1.4.1/files/maldet
maldetect-1.4.1/files/VERSION.hash
maldetect-1.4.1/files/tmp/
maldetect-1.4.1/files/ignore_paths
maldetect-1.4.1/files/modsec.sh
maldetect-1.4.1/files/sess/
maldetect-1.4.1/files/hexstring.pl
maldetect-1.4.1/files/internals.conf
maldetect-1.4.1/files/ignore_inotify
maldetect-1.4.1/files/pub/
maldetect-1.4.1/files/ignore_file_ext
maldetect-1.4.1/files/sigs/
maldetect-1.4.1/files/sigs/hex.dat
maldetect-1.4.1/files/sigs/maldet.sigs.ver
maldetect-1.4.1/files/sigs/rfxn.hdb
maldetect-1.4.1/files/sigs/rfxn.ndb
maldetect-1.4.1/files/sigs/md5.dat
maldetect-1.4.1/files/hexfifo.pl
maldetect-1.4.1/files/conf.maldet
maldetect-1.4.1/.ca.def
maldetect-1.4.1/cron.d.pub
maldetect-1.4.1/CHANGELOG
maldetect-1.4.1/install.sh
maldetect-1.4.1/COPYING.GPL
maldetect-1.4.1/cron.daily
root@gudeg [/opt]# cd maldetect-1.4.1/
root@gudeg [/opt/maldetect-1.4.1]# ls
./   .ca.def    COPYING.GPL  cron.d.pub  install.sh*
../  CHANGELOG  cron.daily*  files/      README
root@gudeg [/opt/maldetect-1.4.1]# ./install.sh 
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <proj@r-fx.org>
            (C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(28813): {sigup} performing signature update check...
maldet(28813): {sigup} local signature set is version 2011122411659
maldet(28813): {sigup} latest signature set already installed
root@gudeg [/opt/maldetect-1.4.1]# 

Uji Coba

root@gudeg [/home/test/www]# maldet -a .
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <proj@r-fx.org>
            (C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4797): {scan} signatures loaded: 8707 (6843 MD5 / 1864 HEX)
maldet(4797): {scan} building file list for ., this might take awhile...
maldet(4797): {scan} file list completed, found 29 files...
maldet(4797): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(4797): {scan} scan of . (29 files) in progress...
maldet(4797): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(4797): {scan} scan completed on .: files 29, malware hits 2, cleaned hits 0
maldet(4797): {scan} scan report saved, to view run: maldet --report 122511-0326.4797
maldet(4797): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 122511-0326.4797
root@gudeg [/home/test//www]# maldet --report 122511-0326.4797

SCAN ID: 122511-0326.4797
TIME: Dec 25 03:26:13 -0600
PATH: .
TOTAL FILES: 29
TOTAL HITS: 2
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine r$
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.18 : ./b374k.php
{HEX}php.cmdshell.r57.313 : ./paijo.php
===============================================
Linux Malware Detect v1.4.1 < proj@rfxn.com >

sumber: http://www.rfxn.com/appdocs/README.maldetect

10 thoughts on “Hardening Server Dengan Linux Malware Detect (LMD)”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.