One of the more useful tools in helping to locate when/where a server was compromised are manual anti-virus scans. Additionally, a great hurdle to put up in front of malicious attackers is a scanner that scans files as they are created/modified to check for malicious content.

In the linux world, there’s not always a great understanding of what options are available, so I’m very briefly going to outline three that I am aware of and/or use.

The three I am going to cover are:

Maldetect (LMD)
BitDefender
ClamAV


Maldet (LMD)

This is a pretty straight forward project. Things to know in advance:

Requires: perl. If you want to use the inotify scanning you also needglibc.i686 or glibc.i386

To install:

[root@feh ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
[root@feh ~]# tar zxvf maldetect-current.tar.gz
[root@feh ~]# cd maldetect-1.4.2/
[root@feh maldetect-1.4.2]# ./install.sh

This will install the software, the conf file, and the daily cron:

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

You should review the configuration file and modify as needed for your environment.

Usage is pretty straight forward and covered fairly well in their documentation here. That said, a few basic operation examples:

To scan a specific directory manually:

[root@feh ~]# maldet -a /opt/virustest/

To background scan a location (good for large scans):

[root@feh ~]# maldet -b -r /opt/virustest/

To view a list of reports generated by maldet (important when you do a background scan to view results):

[root@feh ~]# maldet --report list

To view a specific report:

[root@feh ~]# maldet --report REPORTID

If you want to quarantine all files marked as malicious in a specific scan report:

[root@feh ~]# maldet -q REPORTID

Maldet, as I mentioned, does active scanning using inotify. This permits it to look at files as they are created/modified. So once you’ve done a full scan of your system to get a “known good” state, you can (for example) set up a scan of your vhosts directory to monitor for any malicious file uploads:

[root@feh ~]# maldet --monitor /var/www/vhosts

or multiple locations:

[root@feh ~]# maldet --monitor /var/www/vhosts,/home

IMPORTANT! If you get an error starting up the monitor mode that looks like:

“{mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.”

You did not install glibc.i686 or glibc.i386. Kill the process, install the package, and then start it up again.

The inotify scans do not email on detection. The reports/email are sent out daily/weekly, depending on configuration and are handled by the cron job in /etc/cron.daily/maldet.

Lastly, to kill off a background/monitor maldet process, you can send the kill command:

[root@feh ~]# maldet -k


Bitdefender

Bitdefender is another client you can use for fairly quick and painless on demand scans. Bitdefender has no option for inotify scanning at this time. However, it does have repos for package management via DEB or RPM based systems, making installation and updates of it fairly painless. Repo located here.

To install (I’m going to use the yum based install example):

[root@feh ~]# rpm -i http://download.bitdefender.com/repos/rpm/bitdefender/i586/BitDefender-repo-1-1.noarch.rpm
[root@feh ~]# yum install bitdefender-scanner.x86_64

To use:

[root@feh ~]# bdscan --log=/root/bdscan.txt --action=ignore /home/testing/ > /dev/null 2>&1; grep "infected" /root/bdscan.txt

You can set the above manual scan as a cron job and have it run nightly, weekly, or monthly and email you the results.


ClamAV

Note: If you are running a Redhat based system, you may need to have the EPEL repository enabled to install this package.

To install:

[root@feh ~]# yum install clamav clamav-db

or

[root@feh ~]# apt-get install clamav

To update virus definitions (can be set as a cron job):

[root@feh ~]# freshclam

To do a manual scan:

[root@feh ~]# clamscan --log=/path/to/outputlogfileyouwant.txt -ri /path/to/scan

You can set the above manual scan as a cron job and have it run nightly, weekly, or monthly and email you the results.


It is important to remember that Anti-Virus is not a “fix” for insecure code, out of date systems, or badly managed servers. However, it can be both an important tool in helping to diagnose compromise after the fact and a significant hurdle to malicious users attempting to upload content to your server unnoticed.

There are many commercial anti-virus solutions that you can investigate as well. I just wanted to outline a few of the freeware ones out there for linux that can be implemented quickly and relatively painlessly. All three have positives and negatives. Maldet is great because it includes the inotify scanning, but the manual install from source can make it less desirable for some. Bitdefender is quick and easy to get up and going with, but not as flexible as the other two and requires a third party repo. ClamAV is easy to install and use, directly from OS repos, but lacks the inotify feature and so is a reactive solution rather than proactive.

As with all things, it’s important to assess what your needs are with anti-virus, how you will use it, and pick the one that most closely aligns to your goals. Particularly with ClamAV and BitDefender, it is important to remember that these are REACTIVE scans and not PROACTIVE ones. Using inotify and quarantine of suspect files via maldet and inotify is a way to start proactively locking down malicious files.

Apr 13 13:41:36 feh maldet(31639): {mon} inotify file scan /opt/virustest/eicar.com
Apr 13 13:41:36 feh maldet(31639): {hexstring} malware hit {HEX}EICAR.TEST.10 on /opt/virustest/eicar.com
Apr 13 13:41:36 feh maldet(31639): {quar} malware quarantined from '/opt/virustest/eicar.com' to '/usr/local/maldetect/quarantine/eicar.com.13763'


Category: advice, antivirus, linux

Leave a Reply

Categories


gives good tech

tech.superhappykittymeow.com
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz