Installation instructions for malwaredetect on a Debian 6 server with ISPConfig3:

Installation

Install pre-reqs:

apt-get install inotify-tools

Install maldetect:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

Configure

Edit the main maldet script to work with Debian:

vim /usr/local/maldetect/maldet

Replace the line that starts with $nice in the main maldet script with the following:

$nice -n $inotify_nice $inotify -d -r -o $inotify_log --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,modify >> /dev/null 2>&1 &

Edit internals.conf – Find inotify= and change the value to /usr/bin/inotifywait:

vim /usr/local/maldetect/internals.conf

Next delete inotifywait and libinotifytools.so.0

rm -rf /usr/local/maldetect/inotify/inotifywait
rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

Now edit the cronjob:

vim /etc/cron.daily/maldet

Comment out:

  • /usr/local/maldetect/maldet -d >> /dev/null 2>&1
  • /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
  • if [ -d “/var/www/html” ]; then
    /usr/local/maldetect/maldet -b -r /var/www/html 2
    fi
    if [ -d “/usr/local/apache/htdocs” ]; then
    /usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
    fi

Add this:

# Instead use ISPConfig 3 path var/www
/usr/local/maldetect/maldet -b -r /var/www

Below this:

#/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

Now configure maldetect to run daily and send report to email address of your choice:

Set toggle to 1, update subject line and enter email address:

vim /usr/local/maldetect/conf.maldet

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="Malware Detect Subject Line $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="you@domain.com"

**Cron should run daily with an email report. Report only sent if malware found**

Manual Scanning

Scan specific directory:

maldet -a /home/homedir/public_html/

Scan all directories using a wildcard:

maldet -a /home/?/public_html/
Written by Matt Cooper
Hi, I'm Matt Cooper. I started this blog to pretty much act as a brain dump area for things I learn from day to day. You can contact me at: matt@linuxtutorial.co.uk.