Sử dụng maldet

0
4244

Sử dụng maldet

Cài đặt và sử dụng

Cài đặt

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -xzf maldetect-current.tar.gz
$ cd maldetect-*
$ sudo sh ./install.sh

Cập nhật maldet

# maldet --update-ver

Cập nhật DB nhận biết malware

# maldet --update

Scan manually

maldet -a /path/to/files
maldet --include-regex ".*.php$" -a /home/?/public_html

Khi chạy xong sẽ hiện thông báo

maldet(9753): {scan} scan completed on /home/admin/: files 5, malware hits 0, cleaned hits 0 maldet(9753): {scan} scan report saved 'maldet --report 040511-2342.9753'

Để xem báo cáo về kết quả quét

maldet --report 040511-2342.9753

hoặc xem trực tiếp từ file

cat /usr/local/maldet/sess/040511-2342.9753

Để cô lập những file được phát hiện là malware

maldet -q 040511-0442.3282

Tham khảo lệnh inotifywait được gọi bởi maldet

/usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.15138 --exclude \(^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql_.*\.MYD$|^/tmp/#sql_.*\.MYD$|^/var/tmp/clamav-.*|^/tmp/clamav-.*|^/usr/local/maldetect*|^/dev/pts*|^/dev/null\) --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,modify

Log của inotifywait

/usr/local/maldetect/logs/inotify_log

Áp dụng lệnh inotifywait cho 1 số file extension cụ thể

/usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.15138 --exclude "[^p][^h][^p]$" --timefmt %d %b %H:%M:%S --format %w%f %e %T -m -e create,move,moved_to,modify
/usr/bin/inotifywait -r /home/admin/ --exclude "[^p][^h][^p]$" --timefmt "%d %b %H:%M:%S" --format "%w%f %e %T" -m -e create,move,moved_to,modify

maldet manpage

    -b, --background
      Execute operations in the background, ideal for large scans
      e.g: maldet -b -r /home/?/public_html 7

    -u, --update [--force]
       Update malware detection signatures from rfxn.com

    -d, --update-ver [--force]
       Update the installed version from rfxn.com

    -f, --file-list
       Scan files or paths defined in line spaced file 
       e.g: maldet -f /root/scan_file_list

    -m, --monitor USERS|PATHS|FILE
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

    -k, --kill
       Terminate inotify monitoring service

    -r, --scan-recent PATH DAYS
       Scan files created/modified in the last X days (default: 7d, wildcard: ?)
       e.g: maldet -r /home/?/public_html 2

    -a, --scan-all PATH
       Scan all files in path (default: /home, wildcard: ?)
       e.g: maldet -a /home/?/public_html

    -i, --include-regex REGEX
       Include paths/files from file list based on supplied posix-egrep regular expression.  
       e.g: To include only paths named wp-content and files ending in .php: --include-regex ".*/wp-content/.*|.*.php$"

    -x, --exclude-regex REGEX
       Exclude paths/files from file list based on supplied posix-egrep regular expression.  
       e.g: To exclude paths containing 'wp-content/w3tc/' and core files: --exclude-regex ".*wp-content/w3tc/.*|.*core.[0-9]+$"

    -c, --checkout FILE
       Upload suspected malware to rfxn.com for review & hashing into signatures

    -l, --log
       View maldet log file events

    -e, --report SCANID email
       View scan report of most recent scan or of a specific SCANID and optionally
       e-mail the report to a supplied e-mail address
       e.g: maldet --report
       e.g: maldet --report list
       e.g: maldet --report 050910-1534.21135
       e.g: maldet --report SCANID [email protected]

    -s, --restore FILE|SCANID
       Restore file from quarantine queue to orginal path or restore all items from
       a specific SCANID
       e.g: maldet --restore /usr/local/maldetect/quarantine/config.php.23754
       e.g: maldet --restore 050910-1534.21135

    -q, --quarantine SCANID
       Quarantine all malware from report SCANID
       e.g: maldet --quarantine 050910-1534.21135

    -n, --clean SCANID
       Try to clean & restore malware hits from report SCANID
       e.g: maldet --clean 050910-1534.21135

    -U, --user USER
       Set execution under specified user, ideal for restoring from user quarantine or
       to view user reports.
       e.g: maldet --user nobody --report
       e.g: maldet --user nobody --restore 050910-1534.21135

    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE
       Set or redefine the value of conf.maldet config options
       e.g: maldet --config-option [email protected],quar_hits=1

    -p, --purge
       Clear logs, quarantine queue, session and temporary data.

    --web-proxy IP:PORT
       Enable use of HTTP/HTTPS proxy for all remote URL calls.

Các file cấu hình

/etc/cron.daily/maldet

#!/usr/bin/env bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export LMDCRON=1
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"

if [ -f "$intcnf" ]; then
        source $intcnf
else
        echo "\$intcnf not found."
        exit 1
fi
if [ -f "$cnf" ]; then
        source $cnf
        if [ -f "$compatcnf" ]; then
                source $compatcnf
        fi
else
        echo "could not find \$cnf, fatal error, bye."
        exit 1
fi

if [ -f "/etc/sysconfig/maldet" ]; then
        . /etc/sysconfig/maldet
elif [ -f "/etc/default/maldet" ]; then
        . /etc/default/maldet
fi

if [ -f "$cron_custom_conf" ]; then
        . $cron_custom_conf
fi

if [ -z "$scan_days" ]; then
        scan_days=1
fi

if [ -z "$cron_prune_days" ]; then
        cron_prune_days=21
fi

if [ "$find" ]; then
        # prune any quarantine/session/tmp data older than 7 days
        tmpdirs="$tmpdir $varlibpath/sess $varlibpath/quarantine $varlibpath/pub"
        for dir in $tmpdirs; do
         if [ -d "$dir" ]; then
          $find $dir -type f -mtime +${cron_prune_days} -print0 | xargs -0 rm -f >> /dev/null 2>&1
         fi
        done
fi

if [ "$autoupdate_version" == "1" ] || [ "$autoupdate_signatures" == "1" ]; then
        # sleep for random 1-999s interval to better distribute upstream load
        sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
fi

if [ "$autoupdate_version" == "1" ]; then
        # check for new release version
        $inspath/maldet -d >> /dev/null 2>&1
fi

if [ "$autoupdate_signatures" == "1" ]; then
        # check for new definition set
        $inspath/maldet -u >> /dev/null 2>&1
fi

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then
        $inspath/maldet --monitor-report >> /dev/null 2>&1
else
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                $inspath/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                $inspath/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/www/clients" ]; then
                # ISPConfig
                $inspath/maldet -b -r /var/www/clients/?/web?/web,/var/www/clients/?/web?/subdomains,/var/www $scan_days >> /dev/null 2>&1
        elif [ -d "/etc/webmin/virtual-server" ]; then
                # Virtualmin
                $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/ispmgr" ]; then
                # ISPmanager
                $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
        elif [ -d "/var/customers/webs" ]; then
                # froxlor
                $inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/local/vesta" ]; then
                # VestaCP
                $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
        elif [ -d "/usr/share/dtc" ]; then
                # DTC
                if [ -f /var/lib/dtc/saved_install_config ]; then
                    . /var/lib/dtc/saved_install_config
                fi
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
        fi
fi

if [ -f "$cron_custom_exec" ]; then
        . $cron_custom_exec
fi

/etc/cron.d/maldet-pub

*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1

/usr/local/maldetect/conf.maldet

  • General Options
    • email_alert=”1″

      # Enable or disable e-mail alerts, this includes application version
      # alerts as well as automated/manual scan reports. On-demand reports
      # can still be sent using '--report SCANID [email protected]'.
      # [0 = disabled, 1 = enabled]
    • email_addr=”[email protected]

      # The destination e-mail addresses for automated/manual scan reports
      # and application version alerts.
      # [ multiple addresses comma (,) spaced ]
    • email_ignore_clean=”1″

      # Ignore e-mail alerts for scan reports in which all malware hits
      # have been automatically and successfully cleaned.
      # [0 = disabled, 1 = enabled]
    • autoupdate_signatures=”1″

      # This controls the daily automatic updates of LMD signature files
      # and cleaner rules. The signature update process preserves any
      # custom signature or cleaner files. It is highly recommended that this
      # be enabled as new signatures a released multiple times per-week.
      # [0 = disabled, 1 = enabled]
    • autoupdate_version=”1″

      # This controls the daily automatic updates of the LMD installation.
      # The installation update process preserves all configuration options
      # along with custom signature and cleaner files. It is recommended that
      # this be enabled to ensure the latest version, features and bug fixes
      # are always available.
      # [0 = disabled, 1 = enabled]
    • autoupdate_version_hashed=”1″

      # This controls validating the LMD executable MD5 hash with known
      # good upstream hash value. This allows LMD to replace the the
      # executable / force a reinstalltion in the event the LMD executable
      # is tampered with or corrupted. If you intend to make customizations
      # to the LMD executable, you should disable this feature.
      # [0 = disabled, 1 = enabled]
    • cron_prune_days=”21″

      # The retention period, in days, which quarantine, temporary files and stale
      # session information should be retained. Data older than this value is deleted
      # with the daily cron execution.
    • import_config_url=””

      # When defined, the import_config_url option allows a configuration file to be
      # downloaded from a remote URL. The local conf.maldet and internals.conf are
      # parsed followed by the imported configuration file. As such, only variables
      # defined in the imported configuration file are overridden and a full set of
      # configuration options is not explicitly required in the imported file.
    • import_config_expire=”43200″

      # The expiry interval for refreshing the local cached version of the imported
      # configuration file. The default is every 12h (43200 sec) which should be ok
      # for most setups.
    • import_custsigs_md5_url=””

      # When defined, the import_custsigs_*_url options allow for the custom signature
      # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
      # SIGNATURE FILES! It is recommended for large-scale deployments to define these
      # variables within a import_config_url file.
    • import_custsigs_hex_url=””

      # When defined, the import_custsigs_*_url options allow for the custom signature
      # files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
      # SIGNATURE FILES! It is recommended for large-scale deployments to define these
      # variables within a import_config_url file.
  • Scan Options
    • scan_max_depth=”15″

      # The maximum directory depth that the scanner will search, a value
      # of 15 is recommended.
      # [ changing this may have an impact on scan performance ]
    • scan_min_filesize=”24″

      # The minimum file size in bytes for a file to be included in LMD scans.
      # [ changing this may have an impact on scan performance ]
    • scan_max_filesize=”2048k”

      # The maximum file size for a file to be included in LMD scans. Accepted
      # value formats are b, k, M. When using the clamscan engine, the max_filesize
      # will be dynamically set based on the largest known filesize from the MD5
      # hash signature file.
      # [ changing this may have an impact on scan performance ]
    • scan_hexdepth=”65536″

      # The maximum byte depth that the scanner will search into a files content.
      # The default signature rules expect a depth size of at least 65536 bytes.
      # [ changing this may have an impact on scan performance ]
    • scan_hexfifo=”1″

      # Use named pipe (FIFO) for passing file contents hex data instead of stdin
      # default; improved performance and greater scanning depth. This is highly
      # recommended and works on most systems. The hexfifo will be disabled
      # automatically if for any reason it can not be successfully utilized.
      # [ 0 = disabled, 1 = enabled ]
    • scan_hexfifo_depth=”524288″

      # The maximum byte depth that the scanner will search into a files content
      #s when using named pipe (FIFO). Improved performance allows for greater
      # scan depth over default scan_hexdepth value.
      # [ changing this may have an impact on scan performance ]
    • scan_clamscan=”1″

      # If installed, use ClamAV clamscan binary as default scan engine which
      # provides improved scan performance on large file sets. The clamscan
      # engine is used in conjunction with native ClamAV signatures updated
      # through freshclam along with LMD signatures providing additional
      # detection capabilities.
      # [ 0 = disabled, 1 = enabled ]
    • scan_tmpdir_paths=”/tmp /var/tmp /dev/shm”

      # Include the scanning of known temporary world-writable paths for
      # -a|--al and -r|--recent scan types.
    • scan_user_access=”0″

      # Allows non-root users to perform scans. This must be enabled when
      # using mod_security2 upload scanning or if you want to allow users
      # to perform scans. When enabled, this will populate 'pub/' with user
      # owned quarantine, session and temporary paths to faciliate scans.
      # [ 0 = disabled, 1 = enabled, disabled by default ]
    • scan_cpunice=”19″

      # Process CPU scheduling (nice) priority level for scan operations.
      # [ -19 = high prio , 19 = low prio, default = 19 ]
    • scan_ionice=”6″

      # Process IO scheduling (ionice) priority levels for scan operations.
      # (uses cbq best-effort scheduling class [-c2])
      # [ 0 = most favorable IO, 7 = least favorable IO ]
    • scan_cpulimit=”0″

      # Set hard limit on CPU usage for find and clam(d)scan processes. This
      # requires the 'cpulimit' binary to be available on the server. The values
      # are expressed as relative percentage * N cores on system. An 8 CPU core
      # server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
    • scan_ignore_root=”1″

      # As a design and common use case, LMD typically only scans user space paths
      # and as such it makes sense to ignore files that are root owned. It is
      # recommended to leave this enabled for best performance.
      # [ 0 = disabled, 1 = enabled ]
    • scan_ignore_user=””

      # This allows for specific user or groups to be ignored entirely from scan
      # file lists. This option should be used with care and is not ideal for
      # ignoring false positives. Instead, you should use one of the ignore files,
      # such as ignore_paths, to exclude a specific file name or path from scans.
      # [ comma or white spaced list of user and group names ]
    • scan_ignore_group=””

      # This allows for specific user or groups to be ignored entirely from scan
      # file lists. This option should be used with care and is not ideal for
      # ignoring false positives. Instead, you should use one of the ignore files,
      # such as ignore_paths, to exclude a specific file name or path from scans.
      # [ comma or white spaced list of user and group names ]
    • scan_find_timeout=”0″

      # The maximum amount of time, in seconds, that the 'find' file list generation
      # will run before it is terminated. All 'find' results up to the point of
      # termination will be fully scanned. If performing a full scan of all user paths
      # on a large server, it is reasonable to expect the find operation may take a
      # long time to complete and as such this feature may interfere. In such cases,
      # this feature can be disabled/modified on a per-scan basis using the
      # '-co|--config-option' CLI option, such as:
      # "maldet -co scan_find_timeout=0 -a /home/?/public_html".
      # [ 0 = disabled, 14400 = 4hr recommended timeout ]
    • scan_export_filelist=”0″

      # The daily cron 'find' operation performed by LMD detects recently created/modifed
      # user files. This 'find' operation can be especially resource intensive and it may
      # be desirable to persist the file list results so that other applications/tasks
      # may make use of the results. When scan_export_filelist is set enabled, the most
      # recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
      # [ 0 = disabled, 1 = enabled ]
  • Quarantine Options
    • quarantine_hits=”1″

      # The default quarantine action for malware hits
      # [0 = alert only, 1 = move to quarantine & alert]
    • quarantine_clean=”1″

      # Try to clean string based malware injections
      # [NOTE: quarantine_hits=1 required]
      # [0 = disabled, 1 = clean]
    • quarantine_suspend_user=”0″

      # The default suspend action for users wih hits
      # Cpanel suspend or set shell /bin/false on non-Cpanel
      # [NOTE: quarantine_hits=1 required]
      # [0 = disabled, 1 = suspend account]
    • quarantine_suspend_user_minuid=”500″

      # The minimum userid value that can be suspended
      # [ default = 500 ]
  • Monitoring Options
    • default_monitor_mode=””

      # The default startup option for monitor mode, either 'users' or path to line
      # spaced file containing local paths to monitor. This option is used for the
      # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
      # or '/etc/default/maldet' is present with a defined value for .
    • inotify_base_watches=”16384″

      # The base number of files that can be watched under a path
      # [ maximum file watches = inotify_base_watches*users ]
    • inotify_sleep=”30″

      # The sleep time in seconds between monitor runs to scan files
      # that have been created/modified/moved
    • inotify_reloadtime=”3600″

      # The interval in seconds that inotify will reload configuration
      # data, including remote configuration imports.
    • inotify_minuid=”500″

      # The minimum userid that will be added to path monitoring when
      # the USERS option is specified
    • inotify_docroot=”public_html,public_ftp”

      # This is the html/web root for users relative to homedir, when
      # this option is set, users will only have the webdir monitored
      # [ comma spaced list, clear option to default monitor user homedir ]
    • inotify_cpunice=”18″

      # Process CPU scheduling (nice) priority level for monitoring process.
      # [ -19 = high prio , 19 = low prio, default = 15 ]
    • inotify_ionice=”6″

      # Process IO scheduling (ionice) priority levels for scan operations.
      # (uses cbq best-effort scheduling class [-c2])
      # [ 0 = most favorable IO, 7 = least favorable IO ]
    • inotify_cpulimit=”0″

      # Set hard limit on CPU usage for inotify monitoring processes. This requires
      # the 'cpulimit' binary to be available on the server. The values are expressed
      # as relative percentage * N cores on system. An 8 CPU core system would accept
      # values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
    • inotify_verbose=”0″

      # Log every file scanned by inotify monitoring mode; this is not recommended
      # and will drown out your 'event_log' file, intended only for debugging purposes.
  • Statistical Analysis
    • string_length_scan=”0″

      # The string length test is used to identify threats based on the
      # length of the longest uninterrupted string within a file. This is
      # useful as obfuscated code is often stored using encoding methods
      # that produce very long strings without spaces (e.g: base64)
      # [ string length in characters, default = 150000 ]
    • string_length=”150000″

      # The string length test is used to identify threats based on the
      # length of the longest uninterrupted string within a file. This is
      # useful as obfuscated code is often stored using encoding methods
      # that produce very long strings without spaces (e.g: base64)
      # [ string length in characters, default = 150000 ]

/etc/sysconfig/maldet

##
# Linux Malware Detect v1.6.2
#             (C) 2002-2017, R-fx Networks <[email protected]>
#             (C) 2017, Ryan MacDonald <[email protected]>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
# MONITOR_MODE
# users      | monitor all local unix users
# PATH FILE  | read path file, line spaced, for local paths to monitor

#MONITOR_MODE="users"
#MONITOR_MODE="/usr/local/maldetect/monitor_paths"

/usr/local/maldetect/internals/internals.conf

##
# Linux Malware Detect v1.6.2
#             (C) 2002-2017, R-fx Networks <[email protected]>
#             (C) 2017, Ryan MacDonald <[email protected]>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#

inspath=/usr/local/maldetect
intcnf="$inspath/internals/internals.conf"
libpath="$inspath/internals"
intfunc="$libpath/functions"

logdir="$inspath/logs"
confpath="$inspath"
cnffile="conf.maldet"
cnf="$confpath/$cnffile"
varlibpath="$inspath"
maldet_log="$logdir/event_log"
clamscan_log="$logdir/clamscan_log"
datestamp=`date +"%y%m%d-%H%M"`
utime=`date +"%s"`
user=`whoami`

if [ "$OSTYPE" == "FreeBSD" ]; then
        md5sum="/sbin/md5 -q"
else
        md5sum=`which md5sum 2> /dev/null`
fi

hostid=`which hostid 2> /dev/null`
if [ "$hostid" ]; then
        hostid=`$hostid | $md5sum | awk '{print$1}'`
else
        hostid=`uname -a | $md5sum | awk '{print$1}'`
fi
storename_prefix="$hostid.$RANDOM"

od=`which od 2> /dev/null`
find=`which find 2> /dev/null`
perl=`which perl 2> /dev/null`
nice=`which nice 2> /dev/null`
cpulimit=`which cpulimit 2> /dev/null`
ionice=`which ionice 2> /dev/null`
wc=`which wc 2> /dev/null`
mail=`which mail 2> /dev/null`
sendmail=`which sendmail 2> /dev/null`
wget=`which wget 2> /dev/null`
curl=`which curl 2> /dev/null`
pidof=`which pidof 2> /dev/null`
sed=`which sed 2> /dev/null`
stat=`which stat 2> /dev/null`
logger=`which logger 2> /dev/null`
clamscan_extraopts=""
clamdscan_extraopts=""
clamdscan=`which clamdscan 2> /dev/null`

ignore_paths="$confpath/ignore_paths"
ignore_sigs="$confpath/ignore_sigs"
ignore_inotify="$confpath/ignore_inotify"
ignore_file_ext="$confpath/ignore_file_ext"
quardir="$varlibpath/quarantine"
sessdir="$varlibpath/sess"
sigdir="$varlibpath/sigs"
cldir="$varlibpath/clean"
tmpdir="$inspath/tmp"
userbasedir="$varlibpath/pub"
hits_history="$sessdir/hits.hist"
quar_history="$sessdir/quarantine.hist"
clean_history="$sessdir/clean.hist"
suspend_history="$sessdir/suspend.hist"
monitor_scanned_history="$sessdir/monitor.scanned.hist"

sig_version_file="$sigdir/maldet.sigs.ver"
if [ -f "$sig_version_file" ]; then
        sig_version=`cat $sig_version_file`
fi
sig_version_url="https://cdn.rfxn.com/downloads/maldet.sigs.ver"
sig_sigpack_url="https://cdn.rfxn.com/downloads/maldet-sigpack.tgz"
sig_clpack_url="https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz"

sig_md5_file="$sigdir/md5v2.dat"
sig_hex_file="$sigdir/hex.dat"
sig_yara_file="$sigdir/rfxn.yara"
sig_cav_hex_file="$sigdir/rfxn.ndb"
sig_cav_md5_file="$sigdir/rfxn.hdb"
sig_cust_md5_file="$sigdir/custom.md5.dat"
sig_cust_hex_file="$sigdir/custom.hex.dat"

lmd_versionsion_file="$inspath/VERSION"
lmd_version="$ver"
lmd_referer="LMD:$ver:$hostid"
lmd_hash_file="$inspath/internals/VERSION.hash"
lmd_hash_url="https://cdn.rfxn.com/downloads/maldet.current.hash"
lmd_version_url="https://cdn.rfxn.com/downloads/maldet.current.ver"
lmd_current_tgzbase_url="https://cdn.rfxn.com/downloads"
lmd_current_tgzfile="maldetect-current.tar.gz"

dig=`which dig 2> /dev/null`
nslookup=`which nslookup 2> /dev/null`
if [ -f "/var/cpanel/mainip" ]; then
        remote_ip=`cat /var/cpanel/mainip`
elif [ -f "$dig" ]; then
        remote_ip=`$dig +short +time=3 +retry=2 myip.opendns.com @resolver1.opendns.com`
elif [ -f "$nslookup" ]; then
        remote_ip=`$nslookup -sil -querytype=A myip.opendns.com resolver1.opendns.com | awk '/^Address: / { print $2 ; exit }'`
fi
remote_uri_timeout="10"
remote_uri_retries="3"
clamav_paths="/usr/local/cpanel/3rdparty/share/clamav/ /var/lib/clamav/ /var/clamav/ /usr/share/clamav/ /usr/local/share/clamav"
tlog="$libpath/tlog"
inotify=`which inotifywait 2> /dev/null`
inotify_log="$inspath/logs/inotify_log"
inotify_user_instances=128
inotify_trim=150000
hex_fifo_path="$varlibpath/internals/hexfifo"
hex_fifo_script="$libpath/hexfifo.pl"
hex_string_script="$libpath/hexstring.pl"
scan_user_access_minuid=30
find_opts="-regextype posix-egrep"
email_template="$libpath/scan.etpl"
email_subj="maldet alert from $(hostname)"
cron_custom_exec="$confpath/cron/custom.cron"
cron_custom_conf="$confpath/cron/conf.maldet.cron"
compatcnf="$libpath/compat.conf"

if [ "$OSTYPE" == "FreeBSD" ]; then
        sed="$sed -E"
        find_opts=""
fi

Leave a Reply

avatar
  Subscribe  
Notify of