Linux Malware Detect (LMD) 或 maldet 是用于 Linux 操作系统的开源恶意软件检测器。 它用于扫描服务器上的恶意软件,并监视和读取系统参数以检测异常活动。
要求
- 运行 Ubuntu 20.04 的 Linux 服务器。
- 对服务器的根访问。
如何在 Ubuntu 20.04 中安装 Linux Malware Detect
步骤 1:更新和升级服务器
在安装 Linux Malware Detect 之前,您需要在 Ubuntu 20.04 服务器上设置和安装所需的软件包。
要更新和升级 Ubuntu 20.04 服务器,请运行以下命令。
root@noufserver:~# sudo apt update && sudo apt upgrade -y使用以下命令安装 wget 包(如果未安装在服务器上)。
root@noufserver:~# sudo apt install wget -y第 2 步:更改当前工作目录
pwd 命令为您提供当前目录的整个文件路径。
要更改当前工作目录,请使用 cd 命令,后跟所需目录的文件路径。
root@noufserver:~# pwd
/root
root@noufserver:~# cd /tmp/
root@noufserver:/tmp# pwd
/tmp
root@noufserver:/tmp#第 3 步:下载最新的 Linux 恶意软件检测包
要下载最新的 Linux Malware Detect 软件包,请运行以下命令。
root@noufserver:/tmp# wget https://www.rfxn.com/downloads/maldetect-current.tar.gz这是输出。
root@noufserver:/tmp# wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
--2022-01-27 04:47:28-- https://www.rfxn.com/downloads/maldetect-current.tar.gz
Resolving www.rfxn.com (www.rfxn.com)... 172.67.144.156, 104.21.28.71, 2606:4700:3034::6815:1c47, ...
Connecting to www.rfxn.com (www.rfxn.com)|172.67.144.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1549126 (1.5M) [application/x-gzip]
Saving to: 'maldetect-current.tar.gz'
maldetect-current.tar.gz 100%[=====================================================================================>] 1.48M 1.34MB/s in 1.1s
2022-01-27 04:47:30 (1.34 MB/s) - 'maldetect-current.tar.gz' saved [1549126/1549126]
第 4 步:解压缩 .tar 文件
要解压缩 .tar 文件,请运行以下命令。
root@noufserver:/tmp# tar xfz maldetect-current.tar.gz文件解压缩后,您将返回到该目录。 使用目录中的 11 命令显示该目录中的文件。
root@noufserver:/tmp# tar xfz maldetect-current.tar.gz
root@noufserver:/tmp#
root@noufserver:/tmp# ll
drwxr-xr-x 3 root root 4096 Jun 20 2019 maldetect-1.6.4/
-rw-r--r-- 1 root root 1549126 Jul 6 2019 maldetect-current.tar.gz
第 5 步:将当前工作目录更改为提取的文件
要将当前工作目录更改为提取的文件,请使用以下命令。
root@noufserver:/tmp# cd maldetect-1.6.4这是命令的完整输出,包括确认目录的 pwd 命令和查看目录中文件的 11 命令。
root@noufserver:/tmp# cd maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# pwd
/tmp/maldetect-1.6.4
root@noufserver:/tmp/maldetect-1.6.4# ll
total 128
drwxr-xr-x 3 root root 4096 Jun 20 2019 ./
drwxrwxrwt 13 root root 4096 Jan 27 04:48 ../
lrwxrwxrwx 1 root root 26 Jul 1 2016 .ca.def -> files/internals/importconf
-rw-r--r-- 1 root root 46407 Apr 15 2019 CHANGELOG
-rw-r--r-- 1 root root 3186 Apr 15 2019 CHANGELOG.RELEASE
-rw-r--r-- 1 root root 1491 Sep 10 2013 CHANGELOG.VARIABLES
-rw-r--r-- 1 root root 18093 Sep 10 2013 COPYING.GPL
-rw-r--r-- 1 root root 24188 Mar 16 2019 README
-rw-r--r-- 1 root root 76 Jan 8 2017 cron.d.pub
-rwxr-xr-x 1 root root 3777 Apr 15 2019 cron.daily*
drwxr-xr-x 8 root root 4096 Jul 6 2019 files/
-rwxr-xr-x 1 root root 6100 Mar 27 2019 install.sh*
第 6 步:运行 Linux 恶意软件检测安装脚本
通过运行以下命令执行 Linux Malware Detect 安装脚本。
root@noufserver:/tmp/maldetect-1.6.4# ./install.sh这是输出。
root@noufserver:/tmp/maldetect-1.6.4# ./install.sh
Linux Malware Detect v1.6.4
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
imported config options from /usr/local/maldetect.last/conf.maldet
maldet(89728): {sigup} performing signature update check...
maldet(89728): {sigup} local signature set is version 201907043616
maldet(89728): {sigup} new signature set 20220122476998 available
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(89728): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(89728): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(89728): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(89728): {sigup} verified md5sum of maldet-clean.tgz
maldet(89728): {sigup} unpacked and installed maldet-clean.tgz
maldet(89728): {sigup} signature set update completed
maldet(89728): {sigup} 17264 signatures (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet 命令的语法如下。
maldet [OPTION] [Directory Path]可用的maldet 选项如下。
-a (--scan-all <path>) - To scan all files in the path
-b (--background) - To execute operations in the background.
-c (--checkout <file>) - To upload suspected malware file to rfxn.com for review and hashing into signatures
-d (--update-ver) - To update the installed version.
-e (--report <scan ID> <email address> - To view the most recent scan or a particular scan ID and email scan report to the provided e-mail address
-h (--help) - To list all available maldet help options.
-l (--log) - To view maldet log file events.
-n (--clean <scan ID> - To clean & restore malware hits from the report.
-p (--purge) - To clear logs, session, and temporary data.
-q (--quarantine <scan ID> - To quarantine all malware from the report.
-r (--scan-recent <path> <days> - To scan the file those are created or modified in the last X days ( 7 days by default and ? for wildcard)
-s (--restore <file> or <scan ID> - To restore the quarantined file from the quarantine queue to the original path or restore all quarantined files from a particular scan ID
-u (--update) - To update malware detection signatures.
如何在 Ubuntu 20.04 中配置 Linux 恶意软件检测
现在 Linux Malware Detect 已安装,您需要配置 Linux Malware Detect 配置文件以获得更好的性能。 Linux Malware Detect 配置文件是 /usr/local/maldetect/conf.maldet。 按照以下步骤配置 Linux 恶意软件检测。
第 1 步:打开配置文件
使用以下命令打开 Linux Malware Detect 配置文件。
root@noufserver:~# vim /usr/local/maldetect/conf.maldet步骤 2:更新配置文件
在 Linux Malware Detect 配置文件中找到以下行并更新它们,如下所示。 此配置将帮助 Linux Malware Detect 成功检测和删除恶意软件威胁。
# To enable the email notification.
email_alert="1"
# Email Address in which you want to receive scan reports
email_addr="[email protected]"
# Enable the LMD signature autoupdate.
autoupdate_signatures="1"
# Use with ClamAV
scan_clamscan="1"
# Enable the automatic updates of the LMD installation.
autoupdate_version="1"
# Enable the daily automatic scanning.
cron_daily_scan="1"
# Clean string based malware injections.
quarantine_clean="0"
# Suspend user if malware found.
quarantine_suspend_user="1"
# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"
# Allows non-root users to perform scans.
scan_user_access="1"
# Move hits to quarantine & alert
quarantine_hits="1"
# Enable scanning for root-owned files. Set 1 to disable.
scan_ignore_root="0"第 3 步: Save 变化和 Exit 文件
Save 输入 :wq 更改并退出文件,然后按 Enter.
在 Ubuntu 20.04 中使用带有 ClamAV 的 Linux 恶意软件检测
Linux Malware Detect 与 ClamAV(Clam Antivirus)兼容且性能更好,尤其是在扫描大型文件集时。 ClamAV 是一个开源防病毒引擎,用于检测病毒、恶意软件和其他常见的安全问题。
使用 apt 命令安装 ClamAV,因为它在基本存储库中可用。
要安装 ClamAV,请使用以下语法。
root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y这是输出。
root@noufserver:~# sudo apt install clamav clamav-daemon clamdscan -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
clamav-base clamav-freshclam libclamav9 libtfm1
Suggested packages:
libclamunrar clamav-docs daemon libclamunrar9
The following NEW packages will be installed:
clamav clamav-base clamav-daemon clamav-freshclam clamdscan libclamav9 libtfm1
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
安装 ClamAV 后,您需要先更新 ClamAV 数据库,然后才能使用 clamscan 命令扫描文件或数据以查找漏洞。 在更新 ClamAV 数据库之前,您还需要停止 clamav-freshclam 服务(如果它正在运行)。 使用以下命令停止 clamav-freshclam 服务。
root@noufserver:~# sudo systemctl stop clamav-freshclam通过以下终端命令更新您的 ClamAV 定义数据库。
root@noufserver:~# sudo freshclam这是输出。
root@noufserver:~#sudo freshclam
Thu Jan 27 05:21:11 2022 -> ClamAV update process started at Thu Jan 27 05:21:11 2022
Thu Jan 27 05:21:11 2022 -> daily.cvd database is up-to-date (version: 26434, sigs: 1972740, f-level: 90, builder: raynman)
Thu Jan 27 05:21:11 2022 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Jan 27 05:21:11 2022 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
更新 ClamAV 定义数据库后,您可以使用以下命令启动 clamav-freshclam 服务。
root@noufserver:~# sudo systemctl start clamav-freshclam要在启动时启用 ClamAV,这可以通过为您自动启动服务来增加您的安全性,请使用以下命令。
root@noufserver:~# sudo systemctl enable clamav-freshclam这是输出。
root@noufserver:~# sudo systemctl enable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable clamav-freshclam
要在启动时禁用 ClamAV,请使用以下命令。
root@noufserver:~# sudo systemctl disable clamav-freshclam这是输出。
root@noufserver:~# sudo systemctl disable clamav-freshclam
Synchronizing state of clamav-freshclam.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable clamav-freshclam
Removed /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service.
在 Ubuntu 20.04 中运行 Linux 恶意软件检测扫描
检查 Linux Malware Detect 的测试功能,方法是从 EICAR 网站.
第 1 步:下载样本病毒特征码
将当前工作目录更改为 /tmp 并从 EICAR 网站下载样本病毒特征码。
root@noufserver:~# cd /tmp
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar_com.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicarcom2.zip
root@noufserver:~#
root@noufserver:/tmp#wget https://secure.eicar.org/eicar.com.txt
root@noufserver:~#
这是输出。
root@noufserver:~# cd /tmp
root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com
--2022-01-27 06:31:33-- https://secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/x-msdownload]
Saving to: 'eicar.com'
eicar.com 100%[=====================================================================================>] 68 --.-KB/s in 0s
2022-01-27 06:31:34 (4.09 MB/s) - 'eicar.com' saved [68/68]
root@noufserver:/tmp# wget https://secure.eicar.org/eicar_com.zip
--2022-01-27 06:31:42-- https://secure.eicar.org/eicar_com.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 184 [application/zip]
Saving to: 'eicar_com.zip'
eicar_com.zip 100%[=====================================================================================>] 184 --.-KB/s in 0s
2022-01-27 06:31:43 (23.0 MB/s) - 'eicar_com.zip' saved [184/184]
root@noufserver:/tmp# wget https://secure.eicar.org/eicarcom2.zip
--2022-01-27 06:31:50-- https://secure.eicar.org/eicarcom2.zip
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 308 [application/zip]
Saving to: 'eicarcom2.zip'
eicarcom2.zip 100%[=====================================================================================>] 308 --.-KB/s in 0s
2022-01-27 06:31:51 (12.1 MB/s) - 'eicarcom2.zip' saved [308/308]
root@noufserver:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2022-01-27 06:31:59-- https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: 'eicar.com.txt'
eicar.com.txt 100%[=====================================================================================>] 68 --.-KB/s in 0s
2022-01-27 06:31:59 (7.91 MB/s) - 'eicar.com.txt' saved [68/68]
root@noufserver:/tmp#
第 2 步:扫描恶意文件
要扫描 /tmp 文件夹中的恶意文件,请运行以下命令。
root@noufserver:~# maldet -a /tmp这是输出。
root@noufserver:~# maldet -a /tmp
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(16224): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
maldet(16224): {scan} building file list for /tmp, this might take awhile...
maldet(16224): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(16224): {scan} file list completed in 0s, found 96 files...
maldet(16224): {scan} scan of /tmp (96 files) in progress...
maldet(16224): {scan} 96/96 files scanned: 12 hits 0 cleaned
maldet(16224): {scan} scan completed on /tmp: files 96, malware hits 12, cleaned hits 0, time 17s
maldet(16224): {scan} scan report saved, to view run: maldet --report 220127-0714.16224
maldet(16224): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220127-0714.16224
扫描完成后,使用以下命令检查扫描报告。
maldet --report <ID>这是命令的适当语法。
root@noufserver:~# maldet --report 220127-0714.16224这是输出。
HOST: noufserver
SCAN ID: 220127-0714.16224
STARTED: Jan 27 2022 07:14:56 +0000
COMPLETED: Jan 27 2022 07:15:13 +0000
ELAPSED: 17s [find: 0s]
PATH: /tmp
TOTAL FILES: 96
TOTAL HITS: 12
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 220127-0714.16224
FILE HIT LIST:
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
{HEX}php.cmdshell.antichat.201 : /tmp/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
{HEX}EICAR.TEST.3 : /tmp/eicar_com.zip
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com
{MD5}EICAR.TEST.3.59 : /tmp/eicar.com.txt
{HEX}EICAR.TEST.3 : /tmp/eicarcom2.zip
===============================================
Linux Malware Detect v1.6.4 < [email protected] >
如果您设置隔离命中=1,列出的恶意软件文件将隔离到指定目录。 因此,输出与下面相同。
root@noufserver:~# maldet -q 220127-0714.16224
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/sigs/rfxn.yara' to '/usr/local/maldetect/quarantine/rfxn.yara.283112035'
maldet(18389): {quar} malware quarantined from '/tmp/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.3214322411'
maldet(18389): {quar} malware quarantined from '/tmp/eicar_com.zip' to '/usr/local/maldetect/quarantine/eicar_com.zip.357324939'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com' to '/usr/local/maldetect/quarantine/eicar.com.1660021592'
maldet(18389): {quar} malware quarantined from '/tmp/eicar.com.txt' to '/usr/local/maldetect/quarantine/eicar.com.txt.2853016306'
maldet(18389): {quar} malware quarantined from '/tmp/eicarcom2.zip' to '/usr/local/maldetect/quarantine/eicarcom2.zip.2220119630'
在后台使用 Maldet 扫描目录
如果文件或目录很大,请在后台运行 maldet 扫描进程。 为了 example,如果要在后台对 /tmp 目录运行 maldet 扫描,请使用以下命令。
root@noufserver:~# maldet -b -a /tmp这是输出。
root@noufserver:~# maldet -b -a /tmp
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress
要检查后台 maldet 扫描的状态,请使用以下命令查看日志文件 /usr/local/maldetect/logs/event_log。
root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log这是输出。
root@noufserver:~# tail -f /usr/local/maldetect/logs/event_log
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} launching scan of /tmp to background, see /usr/local/maldetect/logs/event_log for progress
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} signatures loaded: 17264 (14442 MD5 | 2039 HEX | 783 YARA | 0 USER)
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} building file list for /tmp, this might take awhile...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} executed eval /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find "/tmp" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f -size +24c -size -6947618c -not -perm 000
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} file list completed in 0s, found 84 files...
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} no $mail or $sendmail binaries found, e-mail alerts disabled.
Jan 27 07:32:17 ip-172-31-15-18 maldet(18831): {scan} scan of /tmp (84 files) in progress...
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan completed on /tmp: files 84, malware hits 0, cleaned hits 0, time 16s
Jan 27 07:32:33 ip-172-31-15-18 maldet(18831): {scan} scan report saved, to view run: maldet --report 220127-0732.18831
使用以下命令从先前的 maldet 扫描中清除日志、隔离队列以及会话和临时数据。
root@noufserver:~# maldet -p这是输出。
root@noufserver:~# maldet -p
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(19989): {glob} logs and quarantine data cleared by user request (-p)
要确认是否删除了日志数据,请使用以下命令。
root@noufserver:~# maldet -l这是输出。
root@noufserver:~# maldet -l
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
Viewing last 50 lines from /usr/local/maldetect/logs/event_log:
Jan 27 07:35:51 noufserver maldet(19989): {glob} logs and quarantine data cleared by user request (-p)
使用以下命令,更新恶意软件检测签名。
root@noufserver:~# maldet -u这是输出。
root@noufserver:~# maldet -u
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(20133): {sigup} performing signature update check...
maldet(20133): {sigup} local signature set is version 20220122476998
maldet(20133): {sigup} latest signature set already installed
以下命令可帮助您检查 maldet 版本。
root@noufserver:~# maldet -d这是输出。
root@noufserver:~# maldet -d
Linux Malware Detect v1.6.4
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(20239): {update} checking for available updates...
maldet(20239): {update} hashing install files and checking against server...
maldet(20239): {update} latest version already installed.
总结
Linux Malware Detect 是清除恶意软件感染的有效方法。 但是,保护受感染的用户或网站仍然是避免可疑活动所必需的,并且应该是使用 Linux Malware Detect 之前的一项重要任务。 使用适当的安全缓解策略从一开始就防止发生可疑活动。
如果您正在寻求帮助来保护您的站点或服务器或为您的站点购买服务器,Liquid Web 是您的正确选择。 在 Liquid Web,我们提供专用服务器和托管 VPS 托管选项。 此外,我们技术娴熟的团队提供 24/7/365 全天候支持和监控服务,让您可以专注于您的网站。 立即联系我们的团队以了解更多信息。
