Malware akhir-akhir ini semakin menjadi-jadi dan cukup merepotkan khususnya bagi anda penyedia layanan hosting. Sejauh pengalaman saya, kebanyakan malware masuk dari CMS WordPress. Entah karena client menggunakan template yang abal-abal atau plugins-plugins yang asal install saja.  Geram dengan malware ini, akhirnya saya coba menerapkan Linux Malware Detect (LMD) untuk membantu saya monitoring file-file malware yang ada di server.

Linux Malware Detect adalah aplikasi yang dipakai untuk mencari malware di dalam server anda, hebatnya lagi aplikasi ini sudah dapat di integrasikan dengan ClamAV. Fitur yang ada pada aplikasi ini adalah :

– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions

Pada versi 1.4.1 LMD dapat mengenali
KNOWN MALWARE: 1029
% AV DETECT (AVG): 48
% AV DETECT (LOW): 58
% AV DETECT (HIGH): 80
UNKNOWN MALWARE: 4364

Contoh malware yang dikenali seperti
base64.inject.unclassed bin.dccserv.irsexxy bin.fakeproc.Xnuxer
bin.ircbot.nbot bin.ircbot.php3 bin.ircbot.unclassed
bin.pktflood.ABC123 bin.pktflood.osf bin.trojan.linuxsmalli
c.ircbot.tsunami exp.linux.rstb exp.linux.unclassed
exp.setuid0.unclassed gzbase64.inject html.phishing.auc61
html.phishing.hsbc perl.connback.DataCha0s perl.connback.N2
perl.cpanel.cpwrap perl.mailer.yellsoft perl.ircbot.atrixteam
perl.ircbot.bRuNo perl.ircbot.Clx perl.ircbot.devil
perl.ircbot.fx29 perl.ircbot.magnum perl.ircbot.oldwolf
perl.ircbot.putr4XtReme perl.ircbot.rafflesia perl.ircbot.UberCracker
perl.ircbot.xdh perl.ircbot.xscan perl.shell.cbLorD
perl.shell.cgitelnet php.cmdshell.c100 php.cmdshell.c99
php.cmdshell.cih php.cmdshell.egyspider php.cmdshell.fx29
php.cmdshell.ItsmYarD php.cmdshell.Ketemu php.cmdshell.N3tshell
php.cmdshell.r57 php.cmdshell.unclassed php.defash.buno
php.exe.globals php.include.remote php.ircbot.InsideTeam
php.ircbot.lolwut php.ircbot.sniper php.ircbot.vj_denie
php.mailer.10hack php.mailer.bombam php.mailer.PostMan
php.phishing.AliKay php.phishing.mrbrain php.phishing.ReZulT
php.pktflood.oey php.shell.rc99 php.shell.shellcomm

Installasi LMD


root@server-orang [/backup]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--03:00:31--  http://www.rfxn.com/downloads/maldetect-current.tar.gz
=> `maldetect-current.tar.gz'
Resolving www.rfxn.com... 174.36.214.91
Connecting to www.rfxn.com|174.36.214.91|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 793,126 (775K) [application/x-gzip]

100%[====================================>] 793,126        1.38M/s

03:00:32 (1.38 MB/s) - `maldetect-current.tar.gz' saved [793126/793126]

root@server-orang  [/backup]# tar -zxvf maldetect-current.tar.gz
maldetect-1.4.1/
maldetect-1.4.1/README
maldetect-1.4.1/files/
maldetect-1.4.1/files/quarantine/
maldetect-1.4.1/files/ignore_sigs
maldetect-1.4.1/files/inotify/
maldetect-1.4.1/files/inotify/libinotifytools.so.0
maldetect-1.4.1/files/inotify/tlog
maldetect-1.4.1/files/inotify/inotifywait
maldetect-1.4.1/files/clean/
maldetect-1.4.1/files/clean/gzbase64.inject.unclassed
maldetect-1.4.1/files/clean/base64.inject.unclassed
maldetect-1.4.1/files/maldet
maldetect-1.4.1/files/VERSION.hash
maldetect-1.4.1/files/tmp/
maldetect-1.4.1/files/ignore_paths
maldetect-1.4.1/files/modsec.sh
maldetect-1.4.1/files/sess/
maldetect-1.4.1/files/hexstring.pl
maldetect-1.4.1/files/internals.conf
maldetect-1.4.1/files/ignore_inotify
maldetect-1.4.1/files/pub/
maldetect-1.4.1/files/ignore_file_ext
maldetect-1.4.1/files/sigs/
maldetect-1.4.1/files/sigs/hex.dat
maldetect-1.4.1/files/sigs/maldet.sigs.ver
maldetect-1.4.1/files/sigs/rfxn.hdb
maldetect-1.4.1/files/sigs/rfxn.ndb
maldetect-1.4.1/files/sigs/md5.dat
maldetect-1.4.1/files/hexfifo.pl
maldetect-1.4.1/files/conf.maldet
maldetect-1.4.1/.ca.def
maldetect-1.4.1/cron.d.pub
maldetect-1.4.1/CHANGELOG
maldetect-1.4.1/install.sh
maldetect-1.4.1/COPYING.GPL
maldetect-1.4.1/cron.daily
root@server-orang [/backup]# cd maldetect-1.4.1/
rroot@server-orang [/backup/maldetect-1.4.1]# ls
./   .ca.def    COPYING.GPL  cron.d.pub  install.sh*
../  CHANGELOG  cron.daily*  files/      README
root@gudeg [/backup/maldetect-1.4.1]# ./install.sh
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(28813): {sigup} performing signature update check...
maldet(28813): {sigup} local signature set is version 2011122411659
maldet(28813): {sigup} latest signature set already installed
root@server-orang [/backup/maldetect-1.4.1]#

Scanning manual dapat dilakukan dengan command :


maldet -a /home/user/public_html

Konfigurasi aplikasi ini dapat di lihat di /usr/local/maldetect/conf.maldet

Saya pribadi mengkonfigurasi aplikasi ini untuk outclean dan quarantine, semua hasil scan yang dijalankan cron  juga saya konfig agar terkirim via email sebagai report. Untuk details tentang aplikasi ini dapat dilihat di web vendor : http://www.rfxn.com/projects/linux-malware-detect/