Pre-req – CURL is installed on your server

curl -v -3 -X HEAD http://www.example.com

Not vulnerable – * SSL peer handshake failed, the server most likely requires a client certificate to connect

Vulnerable – * SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

Installation instructions for malwaredetect on a Debian 6 server with ISPConfig3:

Installation

Install pre-reqs:

apt-get install inotify-tools

Install maldetect:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

Configure

Edit the main maldet script to work with Debian:

vim /usr/local/maldetect/maldet

Replace the line that starts with $nice in the main maldet script with the following:

$nice -n $inotify_nice $inotify -d -r -o $inotify_log --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> /dev/null 2>&1 &

Edit internals.conf – Find inotify= and change the value to /usr/bin/inotifywait:

vim /usr/local/maldetect/internals.conf

Next delete inotifywait and libinotifytools.so.0

rm -rf /usr/local/maldetect/inotify/inotifywait
rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

Now edit the cronjob:

vim /etc/cron.daily/maldet

Comment out:

• /usr/local/maldetect/maldet -d >> /dev/null 2>&1
• /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
• if [ -d “/var/www/html” ]; then
  /usr/local/maldetect/maldet -b -r /var/www/html 2
  fi
  if [ -d “/usr/local/apache/htdocs” ]; then
  /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
  fi

Add this:

# Instead use ISPConfig 3 path var/www
/usr/local/maldetect/maldet -b -r /var/www

Below this:

#/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

Now configure maldetect to run daily and send report to email address of your choice:

Set toggle to 1, update subject line and enter email address:

vim /usr/local/maldetect/conf.maldet

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="Malware Detect Subject Line $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="you@domain.com"

**Cron should run daily with an email report. Report only sent if malware found**

Manual Scanning

Scan specific directory:

maldet -a /home/homedir/public_html/

Scan all directories using a wildcard:

maldet -a /home/?/public_html/

Simple guide to installing WPScan on Debian.

Installation

Install git to grab source code from Github:

apt-get install git

Install dependencies for wpscan:

apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3

Clone wpscan form Github:

git clone http://github.com/wpscanteam/wpscan.git

Change into directory and install wpscan:

cd wpscan
gem install bundler && bundle install --without test development

Scanning

Scan WordPress plugins:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate p

Scan Vulnerable plugins:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate vp

Scan themes:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate t

Scan vulnerable themes:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate vt

Scan user accounts:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate u

Scan for timthumb installations:

ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate tt

Update wpscan:

ruby wpscan.rb --update