Sử dụng maldet

4
31409

Sử dụng maldet

Cài đặt và sử dụng

Cài đặt

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -xzf maldetect-current.tar.gz
$ cd maldetect-*
$ sudo sh ./install.sh

Cập nhật maldet

# maldet --update-ver

Cập nhật DB nhận biết malware

# maldet --update

Scan manually

maldet -a /path/to/files
maldet --include-regex ".*.php$" -a /home/?/public_html

Khi chạy xong sẽ hiện thông báo

maldet(9753): {scan} scan completed on /home/admin/: files 5, malware hits 0, cleaned hits 0 maldet(9753): {scan} scan report saved 'maldet --report 040511-2342.9753'

Để xem báo cáo về kết quả quét

maldet --report 040511-2342.9753

hoặc xem trực tiếp từ file

cat /usr/local/maldet/sess/040511-2342.9753

Để cô lập những file được phát hiện là malware

maldet -q 040511-0442.3282

Tham khảo lệnh inotifywait được gọi bởi maldet

/usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.15138 --exclude \(^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql_.*\.MYD$|^/tmp/#sql_.*\.MYD$|^/var/tmp/clamav-.*|^/tmp/clamav-.*|^/usr/local/maldetect*|^/dev/pts*|^/dev/null\) --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,modify

Log của inotifywait

/usr/local/maldetect/logs/inotify_log

Áp dụng lệnh inotifywait cho 1 số file extension cụ thể

/usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.15138 --exclude "[^p][^h][^p]$" --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,moved_to,modify
/usr/bin/inotifywait -r /home/admin/ --exclude "[^p][^h][^p]$" --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,moved_to,modify

maldet manpage

    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -f, --file-list
       Scan files or paths defined in line spaced file 
       e.g: maldet -f /root/scan_file_list

    -m, --monitor USERS|PATHS|FILE
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill
       Terminate inotify monitoring service

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -i, --include-regex REGEX
       Include paths/files from file list based on supplied posix-egrep regular expression.  
       e.g: To include only paths named wp-content and files ending in .php: --include-regex ".*/wp-content/.*|.*.php$"

    -x, --exclude-regex REGEX
       Exclude paths/files from file list based on supplied posix-egrep regular expression.  
       e.g: To exclude paths containing 'wp-content/w3tc/' and core files: --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID [email protected]

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option [email protected],quar_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

    --web-proxy IP:PORT
       Enable use of HTTP/HTTPS proxy for all remote URL calls.

Các file cấu hình

/etc/cron.daily/maldet

#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"

if [ -f "$intcnf" ]; then
        source $intcnf
else
        echo "\$intcnf not found."
        exit 1
fi
if [ -f "$cnf" ]; then
        source $cnf
        if [ -f "$compatcnf" ]; then
                source $compatcnf
        fi
else
        echo "could not find \$cnf, fatal error, bye."
        exit 1
fi

if [ -f "/etc/sysconfig/maldet" ]; then
        . /etc/sysconfig/maldet
elif [ -f "/etc/default/maldet" ]; then
        . /etc/default/maldet
fi

if [ -f "$cron_custom_conf" ]; then
        . $cron_custom_conf
fi

if [ -z "$scan_days" ]; then
        scan_days=1
fi

if [ -z "$cron_prune_days" ]; then
        cron_prune_days=21
fi

if [ "$find" ]; then
        # prune any quarantine/session/tmp data older than 7 days
        tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub"
        for dir in $tmpdirs; do
         if [ -d "$dir" ]; then
          $find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
         fi
        done
fi

if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
        # sleep for random 1-999s interval to better distribute upstream load
        sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi

if [ "$autoupdate_version" == "1" ]; then
        # check for new release version
        $inspath/maldet -d >> /dev/null 2>&1
fi

if [ "$autoupdate_signatures" == "1" ]; then
        # check for new definition set
        $inspath/maldet -u >> /dev/null 2>&1
fi

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
        $inspath/maldet --monitor-report >> /dev/null 2>&1
else
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/ispmgr" ]; then
                # ISPmanager
                $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/vesta" ]; then
                # VestaCP
                $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/share/dtc" ]; then
                # DTC
                if [ -f /var/lib/dtc/saved_install_config ]; then
                    . /var/lib/dtc/saved_install_config
                fi
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
        fi
fi

if [ -f "$cron_custom_exec" ]; then
        . $cron_custom_exec
fi

/etc/cron.d/maldet-pub

*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1

/usr/local/maldetect/conf.maldet

  • General Options
    • email_alert=”1″

      # Enable or disable e-mail alerts, this includes application version
      # alerts as well as automated/manual scan reports. On-demand reports
      # can still be sent using '--report SCANID [email protected]'.
      # [0 = disabled, 1 = enabled]
    • email_addr=”[email protected]

      # The destination e-mail addresses for automated/manual scan reports
      # and application version alerts.
      # [ multiple addresses comma (,) spaced ]
    • email_ignore_clean=”1″

      # Ignore e-mail alerts for scan reports in which all malware hits
      # have been automatically and successfully cleaned.
      # [0 = disabled, 1 = enabled]
    • autoupdate_signatures=”1″

      # This controls the daily automatic updates of LMD signature files
      # and cleaner rules. The signature update process preserves any
      # custom signature or cleaner files. It is highly recommended that this
      # be enabled as new signatures a released multiple times per-week.
      # [0 = disabled, 1 = enabled]
    • autoupdate_version=”1″

      # This controls the daily automatic updates of the LMD installation.
      # The installation update process preserves all configuration options
      # along with custom signature and cleaner files. It is recommended that
      # this be enabled to ensure the latest version, features and bug fixes
      # are always available.
      # [0 = disabled, 1 = enabled]
    • autoupdate_version_hashed=”1″

      # This controls validating the LMD executable MD5 hash with known
      # good upstream hash value. This allows LMD to replace the the
      # executable / force a reinstalltion in the event the LMD executable
      # is tampered with or corrupted. If you intend to make customizations
      # to the LMD executable, you should disable this feature.
      # [0 = disabled, 1 = enabled]
    • cron_prune_days=”21″

      # The retention period, in days, which quarantine, temporary files and stale
      # session information should be retained. Data older than this value is deleted
      # with the daily cron execution.
    • import_config_url=””

      # When defined, the import_config_url option allows a configuration file to be
      # downloaded from a remote URL. The local conf.maldet and internals.conf are
      # parsed followed by the imported configuration file. As such, only variables
      # defined in the imported configuration file are overridden and a full set of
      # configuration options is not explicitly required in the imported file.
    • import_config_expire=”43200″

      # The expiry interval for refreshing the local cached version of the imported
      # configuration file. The default is every 12h (43200 sec) which should be ok
      # for most setups.
    • import_custsigs_md5_url=””

      # When defined, the import_custsigs_*_url options allow for the custom signature
      # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
      # SIGNATURE FILES! It is recommended for large-scale deployments to define these
      # variables within a import_config_url file.
    • import_custsigs_hex_url=””

      # When defined, the import_custsigs_*_url options allow for the custom signature
      # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
      # SIGNATURE FILES! It is recommended for large-scale deployments to define these
      # variables within a import_config_url file.
  • Scan Options
    • scan_max_depth=”15″

      # The maximum directory depth that the scanner will search, a value
      # of 15 is recommended.
      # [ changing this may have an impact on scan performance ]
    • scan_min_filesize=”24″

      # The minimum file size in bytes for a file to be included in LMD scans.
      # [ changing this may have an impact on scan performance ]
    • scan_max_filesize=”2048k”

      # The maximum file size for a file to be included in LMD scans. Accepted
      # value formats are b, k, M. When using the clamscan engine, the max_filesize
      # will be dynamically set based on the largest known filesize from the MD5
      # hash signature file.
      # [ changing this may have an impact on scan performance ]
    • scan_hexdepth=”65536″

      # The maximum byte depth that the scanner will search into a files content.
      # The default signature rules expect a depth size of at least 65536 bytes.
      # [ changing this may have an impact on scan performance ]
    • scan_hexfifo=”1″

      # Use named pipe (FIFO) for passing file contents hex data instead of stdin
      # default; improved performance and greater scanning depth. This is highly
      # recommended and works on most systems. The hexfifo will be disabled
      # automatically if for any reason it can not be successfully utilized.
      # [ 0 = disabled, 1 = enabled ]
    • scan_hexfifo_depth=”524288″

      # The maximum byte depth that the scanner will search into a files content
      #s when using named pipe (FIFO). Improved performance allows for greater
      # scan depth over default scan_hexdepth value.
      # [ changing this may have an impact on scan performance ]
    • scan_clamscan=”1″

      # If installed, use ClamAV clamscan binary as default scan engine which
      # provides improved scan performance on large file sets. The clamscan
      # engine is used in conjunction with native ClamAV signatures updated
      # through freshclam along with LMD signatures providing additional
      # detection capabilities.
      # [ 0 = disabled, 1 = enabled ]
    • scan_tmpdir_paths=”/tmp /var/tmp /dev/shm”

      # Include the scanning of known temporary world-writable paths for
      # -a|--al and -r|--recent scan types.
    • scan_user_access=”0″

      # Allows non-root users to perform scans. This must be enabled when
      # using mod_security2 upload scanning or if you want to allow users
      # to perform scans. When enabled, this will populate 'pub/' with user
      # owned quarantine, session and temporary paths to faciliate scans.
      # [ 0 = disabled, 1 = enabled, disabled by default ]
    • scan_cpunice=”19″

      # Process CPU scheduling (nice) priority level for scan operations.
      # [ -19 = high prio , 19 = low prio, default = 19 ]
    • scan_ionice=”6″

      # Process IO scheduling (ionice) priority levels for scan operations.
      # (uses cbq best-effort scheduling class [-c2])
      # [ 0 = most favorable IO, 7 = least favorable IO ]
    • scan_cpulimit=”0″

      # Set hard limit on CPU usage for find and clam(d)scan processes. This
      # requires the 'cpulimit' binary to be available on the server. The values
      # are expressed as relative percentage * N cores on system. An 8 CPU core
      # server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
    • scan_ignore_root=”1″

      # As a design and common use case, LMD typically only scans user space paths
      # and as such it makes sense to ignore files that are root owned. It is
      # recommended to leave this enabled for best performance.
      # [ 0 = disabled, 1 = enabled ]
    • scan_ignore_user=””

      # This allows for specific user or groups to be ignored entirely from scan
      # file lists. This option should be used with care and is not ideal for
      # ignoring false positives. Instead, you should use one of the ignore files,
      # such as ignore_paths, to exclude a specific file name or path from scans.
      # [ comma or white spaced list of user and group names ]
    • scan_ignore_group=””

      # This allows for specific user or groups to be ignored entirely from scan
      # file lists. This option should be used with care and is not ideal for
      # ignoring false positives. Instead, you should use one of the ignore files,
      # such as ignore_paths, to exclude a specific file name or path from scans.
      # [ comma or white spaced list of user and group names ]
    • scan_find_timeout=”0″

      # The maximum amount of time, in seconds, that the 'find' file list generation
      # will run before it is terminated. All 'find' results up to the point of
      # termination will be fully scanned. If performing a full scan of all user paths
      # on a large server, it is reasonable to expect the find operation may take a
      # long time to complete and as such this feature may interfere. In such cases,
      # this feature can be disabled/modified on a per-scan basis using the
      # '-co|--config-option' CLI option, such as:
      # "maldet -co scan_find_timeout=0 -a /home/?/public_html".
      # [ 0 = disabled, 14400 = 4hr recommended timeout ]
    • scan_export_filelist=”0″

      # The daily cron 'find' operation performed by LMD detects recently created/modifed
      # user files. This 'find' operation can be especially resource intensive and it may
      # be desirable to persist the file list results so that other applications/tasks
      # may make use of the results. When scan_export_filelist is set enabled, the most
      # recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
      # [ 0 = disabled, 1 = enabled ]
  • Quarantine Options
    • quarantine_hits=”1″

      # The default quarantine action for malware hits
      # [0 = alert only, 1 = move to quarantine & alert]
    • quarantine_clean=”1″

      # Try to clean string based malware injections
      # [NOTE: quarantine_hits=1 required]
      # [0 = disabled, 1 = clean]
    • quarantine_suspend_user=”0″

      # The default suspend action for users wih hits
      # Cpanel suspend or set shell /bin/false on non-Cpanel
      # [NOTE: quarantine_hits=1 required]
      # [0 = disabled, 1 = suspend account]
    • quarantine_suspend_user_minuid=”500″

      # The minimum userid value that can be suspended
      # [ default = 500 ]
  • Monitoring Options
    • default_monitor_mode=””

      # The default startup option for monitor mode, either 'users' or path to line
      # spaced file containing local paths to monitor. This option is used for the
      # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
      # or '/etc/default/maldet' is present with a defined value for .
    • inotify_base_watches=”16384″

      # The base number of files that can be watched under a path
      # [ maximum file watches = inotify_base_watches*users ]
    • inotify_sleep=”30″

      # The sleep time in seconds between monitor runs to scan files
      # that have been created/modified/moved
    • inotify_reloadtime=”3600″

      # The interval in seconds that inotify will reload configuration
      # data, including remote configuration imports.
    • inotify_minuid=”500″

      # The minimum userid that will be added to path monitoring when
      # the USERS option is specified
    • inotify_docroot=”public_html,public_ftp”

      # This is the html/web root for users relative to homedir, when
      # this option is set, users will only have the webdir monitored
      # [ comma spaced list, clear option to default monitor user homedir ]
    • inotify_cpunice=”18″

      # Process CPU scheduling (nice) priority level for monitoring process.
      # [ -19 = high prio , 19 = low prio, default = 15 ]
    • inotify_ionice=”6″

      # Process IO scheduling (ionice) priority levels for scan operations.
      # (uses cbq best-effort scheduling class [-c2])
      # [ 0 = most favorable IO, 7 = least favorable IO ]
    • inotify_cpulimit=”0″

      # Set hard limit on CPU usage for inotify monitoring processes. This requires
      # the 'cpulimit' binary to be available on the server. The values are expressed
      # as relative percentage * N cores on system. An 8 CPU core system would accept
      # values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
    • inotify_verbose=”0″

      # Log every file scanned by inotify monitoring mode; this is not recommended
      # and will drown out your 'event_log' file, intended only for debugging purposes.
  • Statistical Analysis
    • string_length_scan=”0″

      # The string length test is used to identify threats based on the
      # length of the longest uninterrupted string within a file. This is
      # useful as obfuscated code is often stored using encoding methods
      # that produce very long strings without spaces (e.g: base64)
      # [ string length in characters, default = 150000 ]
    • string_length=”150000″

      # The string length test is used to identify threats based on the
      # length of the longest uninterrupted string within a file. This is
      # useful as obfuscated code is often stored using encoding methods
      # that produce very long strings without spaces (e.g: base64)
      # [ string length in characters, default = 150000 ]

/etc/sysconfig/maldet

##
# Linux Malware Detect v1.6.2
#             (C) 2002-2017, R-fx Networks <[email protected]>
#             (C) 2017, Ryan MacDonald <[email protected]>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
# MONITOR_MODE
# users      | monitor all local unix users
# PATH FILE  | read path file, line spaced, for local paths to monitor

#MONITOR_MODE="users"
#MONITOR_MODE="/usr/local/maldetect/monitor_paths"

/usr/local/maldetect/internals/internals.conf

##
# Linux Malware Detect v1.6.2
#             (C) 2002-2017, R-fx Networks <[email protected]>
#             (C) 2017, Ryan MacDonald <[email protected]>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#

inspath=/usr/local/maldetect
intcnf="$inspath/internals/internals.conf"
libpath="$inspath/internals"
intfunc="$libpath/functions"

logdir="$inspath/logs"
confpath="$inspath"
cnffile="conf.maldet"
cnf="$confpath/$cnffile"
varlibpath="$inspath"
maldet_log="$logdir/event_log"
clamscan_log="$logdir/clamscan_log"
datestamp=`date +"%y%m%d-%H%M"`
utime=`date +"%s"`
user=`whoami`

if [ "$OSTYPE" == "FreeBSD" ]; then
        md5sum="/sbin/md5 -q"
else
        md5sum=`which md5sum 2> /dev/null`
fi

hostid=`which hostid 2> /dev/null`
if [ "$hostid" ]; then
        hostid=`$hostid | $md5sum | awk '{print$1}'`
else
        hostid=`uname -a | $md5sum | awk '{print$1}'`
fi
storename_prefix="$hostid.$RANDOM"

od=`which od 2> /dev/null`
find=`which find 2> /dev/null`
perl=`which perl 2> /dev/null`
nice=`which nice 2> /dev/null`
cpulimit=`which cpulimit 2> /dev/null`
ionice=`which ionice 2> /dev/null`
wc=`which wc 2> /dev/null`
mail=`which mail 2> /dev/null`
sendmail=`which sendmail 2> /dev/null`
wget=`which wget 2> /dev/null`
curl=`which curl 2> /dev/null`
pidof=`which pidof 2> /dev/null`
sed=`which sed 2> /dev/null`
stat=`which stat 2> /dev/null`
logger=`which logger 2> /dev/null`
clamscan_extraopts=""
clamdscan_extraopts=""
clamdscan=`which clamdscan 2> /dev/null`

ignore_paths="$confpath/ignore_paths"
ignore_sigs="$confpath/ignore_sigs"
ignore_inotify="$confpath/ignore_inotify"
ignore_file_ext="$confpath/ignore_file_ext"
quardir="$varlibpath/quarantine"
sessdir="$varlibpath/sess"
sigdir="$varlibpath/sigs"
cldir="$varlibpath/clean"
tmpdir="$inspath/tmp"
userbasedir="$varlibpath/pub"
hits_history="$sessdir/hits.hist"
quar_history="$sessdir/quarantine.hist"
clean_history="$sessdir/clean.hist"
suspend_history="$sessdir/suspend.hist"
monitor_scanned_history="$sessdir/monitor.scanned.hist"

sig_version_file="$sigdir/maldet.sigs.ver"
if [ -f "$sig_version_file" ]; then
        sig_version=`cat $sig_version_file`
fi
sig_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver"
sig_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz"
sig_clpack_url="https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz"

sig_md5_file="$sigdir/md5v2.dat"
sig_hex_file="$sigdir/hex.dat"
sig_yara_file="$sigdir/rfxn.yara"
sig_cav_hex_file="$sigdir/rfxn.ndb"
sig_cav_md5_file="$sigdir/rfxn.hdb"
sig_cust_md5_file="$sigdir/custom.md5.dat"
sig_cust_hex_file="$sigdir/custom.hex.dat"

lmd_versionsion_file="$inspath/VERSION"
lmd_version="$ver"
lmd_referer="LMD:$ver:$hostid"
lmd_hash_file="$inspath/internals/VERSION.hash"
lmd_hash_url="https://cdn.rfxn.com/downloads/maldet.current.hash"
lmd_version_url="https://cdn.rfxn.com/downloads/maldet.current.ver"
lmd_current_tgzbase_url="https://cdn.rfxn.com/downloads"
lmd_current_tgzfile="maldetect-current.tar.gz"

dig=`which dig 2> /dev/null`
nslookup=`which nslookup 2> /dev/null`
if [ -f "/var/cpanel/mainip" ]; then
        remote_ip=`cat /var/cpanel/mainip`
elif [ -f "$dig" ]; then
        remote_ip=`$dig +short +time=3 +retry=2 myip.opendns.com @resolver1.opendns.com`
elif [ -f "$nslookup" ]; then
        remote_ip=`$nslookup -sil -querytype=A myip.opendns.com resolver1.opendns.com | awk '/^Address: / { print $2 ; exit }'`
fi
remote_uri_timeout="10"
remote_uri_retries="3"
clamav_paths="/usr/local/cpanel/3rdparty/share/clamav/ /var/lib/clamav/ /var/clamav/ /usr/share/clamav/ /usr/local/share/clamav"
tlog="$libpath/tlog"
inotify=`which inotifywait 2> /dev/null`
inotify_log="$inspath/logs/inotify_log"
inotify_user_instances=128
inotify_trim=150000
hex_fifo_path="$varlibpath/internals/hexfifo"
hex_fifo_script="$libpath/hexfifo.pl"
hex_string_script="$libpath/hexstring.pl"
scan_user_access_minuid=30
find_opts="-regextype posix-egrep"
email_template="$libpath/scan.etpl"
email_subj="maldet alert from $(hostname)"
cron_custom_exec="$confpath/cron/custom.cron"
cron_custom_conf="$confpath/cron/conf.maldet.cron"
compatcnf="$libpath/compat.conf"

if [ "$OSTYPE" == "FreeBSD" ]; then
        sed="$sed -E"
        find_opts=""
fi

4
Leave a Reply

avatar
3 Comment threads
1 Thread replies
11978 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
TrungDexterribadminHanaweb Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Hanaweb
Guest

Nếu maldet quét nhầm file thì cài đặt bỏ qua thế nào ad ơi?

Dexterrib
Guest

continue reading this https://bcasinodeutschland.com

Trung
Guest
Trung

Có cách nào bắt dc ScanID bằng hàm sau mỗi lần quét không ạ. em muốn mỗi lần quét xuất báo cáo ra file txt. em chạy crontab. viết 1 bashshell gọi lệnh quét mà ko biết xuất report ra file làm thế nào ậ