An Introduction to Maldet and ClamAV Malware Scanning

8 min read

IMPORTANT

Maldet and ClamAV installation requires that your server has at least 2GB of RAM.

Table of Contents

  1. Introduction
  2. Activation: Installing Maldet+ClamAV
  3. Change the Daily Scan Time
  4. Run a Scan Manually
  5. Malware Scanning Server Logs
  6. Viewing Your Logs
  7. Log Exclusions
  8. Automatic Quarantine (Use with Caution!)
  9. Report Malware to Maldet

Introduction

If you have a Panel or Developer account with GridPane, then you can get access to our integrated malware scanning solution: Maldet + ClamAV.

Maldet

Maldet is short for Linux Malware Detect. This is a software package that scans for malware on Linux systems and has been designed with hosting environments in mind. It’s been created to address threats in a shared hosting environment which, for our purposes, is vastly superior to regular anti-virus solutions that typically have a poor track record of detecting malware on the user account level.
For more information see: https://www.rfxn.com/projects/linux-malware-detect/

ClamAV®

ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates.
Source: https://www.clamav.net/about

Maldet+ClamAV®

Maldet configures itself to use the ClamAV engine, and then scans your servers looking for signatures of thousands of instances of known malware, and then logging the results. It’s important to note that these are not malware cleaners and you will need to take care of any malware found. If malware is found on your server, please check out this guide and take action ASAP – ideally immediately:

Moving a Website that’s had a Malware Infection

Maldet and ClamAV to work together to do scans of your WordPress websites and deliver the results directly in your GridPane dashboard.

Activation: Installing Maldet+ClamAV

To install Maldet+ClamAV on your server, first connect over SSH – see the following articles to get started:

Run the following command:

gp stack maldet -install

The installation may take a few minutes to complete, and it will let you know if it can’t install due to a lack of RAM.

Once installed, Maldet runs a daily scan and will send dashboard notifications and slack alerts at the end of each scan.

Uninstall Maldet

If you ever want to uninstall Maldet in the future, run the following:

gp stack maldet -uninstall

Change the Daily Scan Time

Maldet runs as a part of our gpdailyworker. We set the gpdailyworker cron at a random time between midnight and 5AM (approx). This can be changed via the root crontab and you could change this to run at another time that’s more convenient for your server if it makes sense for your use case.

Warning: Proceed with Caution

Editing the root crontab incorrectly could have serious consequences for your server.

Step 1. Make a copy

Use the following command to display your crontab and then copy this (simply highlight it in most cases to copy) into a text doc for safe keeping.

crontab -l

Now you have a copy you can use for restore purposes just in case.

Editing the Crontab

You can open the crontab for editing with: 

crontab -e

Look for this line:

26 3 * * * /usr/local/bin/gpdailyworker >>/opt/gridpane/gpdailyworker.log

Edit the timing to suit your needs, just make sure it doesn’t overlap with other cronjobs. You can refer to crontab guru if you need help:

https://crontab.guru/

Save with CTRL+O and then Enter. Exit with CTRL+X.

Run a Scan Manually

To run a scan manually, this will scan all sites on your server:

gp site all-sites -maldet-scan

To scan a specific site you can run (replacing site.url for your website’s domain):

gp site site.url -maldet-scan -all

If you use any of the above commands manually it will also send a report to the dashboard/slack with the scan ID.

Malware Scanning Server Logs

Apart from giving notifications inside your account, all scan results are logged, and you can view these directly inside your server.

If Maldet finds an infection on the server, there will be a record in Maldet log files. This record will have both the website and location of the infection.

The Maldet scan report file is found here:

/opt/gridpane/maldet-all-sites-report.ids

While the more detailed log file is found here:

/opt/gridpane/maldet-all-sites-scan.log

You can also view general scan data with the following:

cat /usr/local/maldetect/logs/event_log

Viewing Your Logs

If you’ve received a notification that malware has been scanned, you can view your logs directly inside your server as detailed below.

Step 1. SSH into your server

Please see the guides above to get started.

Step 2. Open the report log

There’s a couple of ways you can view your scan data. One is to view an overview of the scan reports as follows:

cat /opt/gridpane/maldet-all-sites-report.ids

Here you will a list of all report data that looks like this:

....
Dec 01 04:18:13 server-name-here maldet(8501): {scan} scan report saved, to view run: maldet --report 201201-0402.8501
Dec 02 04:18:01 server-name-here maldet(23409): {scan} scan report saved, to view run: maldet --report 201202-0402.23409
Dec 03 04:17:11 server-name-here maldet(20418): {scan} scan report saved, to view run: maldet --report 201203-0402.20418
Dec 04 04:17:16 server-name-here maldet(22121): {scan} scan report saved, to view run: maldet --report 201204-0402.22121
Dec 05 04:16:57 server-name-here maldet(30020): {scan} scan report saved, to view run: maldet --report 201205-0402.30020

At the end of each line the log gives you the command to run view that scans data. In the example above, this would be as follows:

maldet --report 201205-0402.30020

Alternatively, you can view ALL scan data with he following command (Side note – PuTTY doesn’t handle displaying large amounts of data like this very well):

cat /opt/gridpane/maldet-all-sites-scan.log

Step 3. Assess the Report

If malware has been detected, your report will look something like this:

HOST: server-name-here
SCAN ID: 201204-0324.8335
STARTED: Dec 5 2020 04:06:59 +0000
COMPLETED: Dec 5 2020 04:17:54 +0000
ELAPSED: 5155s [find: 16s]

PATH:
RANGE: 1 days
TOTAL FILES: 431438
TOTAL HITS: 2
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 201204-0324.8335

FILE HIT LIST:
{HEX}php.gzbase64.inject.452 : /var/www/yourwebsite.com/htdocs/wp-content/updraft/backup_2020-11-29-0105_Example_Name_48gfdce5d14f351-db.gz
{HEX}php.gzbase64.inject.452 : /home/system-user-name/sites/yourwebsite.com/htdocs/wp-content/updraft/backup_2020-11-29-0105_Example_Name_48gfdce5d14f351-$
===============================================
Linux Malware Detect v1.6.4 < [email protected] >

Here we can see that it’s flagged two specific files.

How you proceed from this point onwards will depend on the type of infection, but typically it’s always best to consult a professional who specializes in malware cleanup (Thomas Raef from wewatchyourwebsite.com is an excellent choice, and he regularly contributes in the Facebook group and has written for us here in the KB) so that you can assess where the breach came from and prevent it from happening again in the future. 

As noted in the introduction, please also check out the following guide:

Moving a Website that’s had a Malware Infection

6G and 7G WAF Logs False Positives

Maldet may sometimes incorrectly flag the 6g.log or 7g.log as malware. For example:

FILE HIT LIST:
{YARA}eval_post : /home/sytem-user-name/sites/website.com/logs/6g.log
{YARA}eval_post : /var/www/website.com/logs/6g.log

Log Exclusions

Maldet does have some ability to ignore certain file types or directories, and if you’re getting false positives from your logs you can take measures to exclude them.

Unfortunately, these are not granular enough for us to be comfortable excluding them by default.

There are two options, one is to set them to ignore all .log files, and the other is to have it ignore the /logs directory in the site directory.

Since the log directory is in the userspace we are not comfortable defaulting to having the malware scanning avoid this directory as the PHP user has access to it and if a vulnerable plugin was compromised then this would be a directory where compromised files could reside.

However, if you would like to exclude the log directory locations, you can do so by following the 2 steps below.

Step 1. SSH into your Server

Please see the guides listed above to get started.

Step 2. Add the exclusion

Run the following command to open up the file we need to edit:

nano /usr/local/maldetect/ignore_paths

Next, add the following two lines to the file:

/home/.*/sites/.*/logs
/var/www/.*/logs/

Finally, save the file with CTRL+O and then Enter, and then exit nano with CTRL+X.

Your exclusion is now in place.

Automatic Quarantine

GridPane intentionally leaves the default behavior of Maldet, which means alerts are active, but not quarantining suspicious files automatically is not. This is due to the potential repercussions of quarantining a false positive, which could potentially take your whole website offline.

If you still want to go ahead and activate automatic quarantine, you can do so by editing the Maldet config file which is located here: ​

/usr/local/maldetect/conf.maldet

Edit the file with nano and then change the value of quarantine_hits to 1.

For more information on Maldet, please check the following manual:
https://www.rfxn.com/appdocs/README.maldetect

Report Malware to Maldet

If you’ve found Malware that the Maldet scan has missed, you can reported this to Maldet to rfxn.com for review & hashing into signatures.

To do this, use the following command:

maldet -c path/to/file

For example:

maldet -c /var/www/example.com/htdocs/wp-content/plugins/plugin-name/dodgyaf.php