Malware akhir-akhir ini semakin menjadi-jadi dan cukup merepotkan khususnya bagi anda penyedia layanan hosting. Sejauh pengalaman saya, kebanyakan malware masuk dari CMS WordPress. Entah karena client menggunakan template yang abal-abal atau plugins-plugins yang asal install saja. Geram dengan malware ini, akhirnya saya coba menerapkan Linux Malware Detect (LMD) untuk membantu saya monitoring file-file malware yang ada di server.
Linux Malware Detect adalah aplikasi yang dipakai untuk mencari malware di dalam server anda, hebatnya lagi aplikasi ini sudah dapat di integrasikan dengan ClamAV. Fitur yang ada pada aplikasi ini adalah :
– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions
Pada versi 1.4.1 LMD dapat mengenali
KNOWN MALWARE: 1029
% AV DETECT (AVG): 48
% AV DETECT (LOW): 58
% AV DETECT (HIGH): 80
UNKNOWN MALWARE: 4364
Contoh malware yang dikenali seperti
base64.inject.unclassed bin.dccserv.irsexxy bin.fakeproc.Xnuxer
bin.ircbot.nbot bin.ircbot.php3 bin.ircbot.unclassed
bin.pktflood.ABC123 bin.pktflood.osf bin.trojan.linuxsmalli
c.ircbot.tsunami exp.linux.rstb exp.linux.unclassed
exp.setuid0.unclassed gzbase64.inject html.phishing.auc61
html.phishing.hsbc perl.connback.DataCha0s perl.connback.N2
perl.cpanel.cpwrap perl.mailer.yellsoft perl.ircbot.atrixteam
perl.ircbot.bRuNo perl.ircbot.Clx perl.ircbot.devil
perl.ircbot.fx29 perl.ircbot.magnum perl.ircbot.oldwolf
perl.ircbot.putr4XtReme perl.ircbot.rafflesia perl.ircbot.UberCracker
perl.ircbot.xdh perl.ircbot.xscan perl.shell.cbLorD
perl.shell.cgitelnet php.cmdshell.c100 php.cmdshell.c99
php.cmdshell.cih php.cmdshell.egyspider php.cmdshell.fx29
php.cmdshell.ItsmYarD php.cmdshell.Ketemu php.cmdshell.N3tshell
php.cmdshell.r57 php.cmdshell.unclassed php.defash.buno
php.exe.globals php.include.remote php.ircbot.InsideTeam
php.ircbot.lolwut php.ircbot.sniper php.ircbot.vj_denie
php.mailer.10hack php.mailer.bombam php.mailer.PostMan
php.phishing.AliKay php.phishing.mrbrain php.phishing.ReZulT
php.pktflood.oey php.shell.rc99 php.shell.shellcomm
Installasi LMD
root@server-orang [/backup]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz --03:00:31-- http://www.rfxn.com/downloads/maldetect-current.tar.gz => `maldetect-current.tar.gz' Resolving www.rfxn.com... 174.36.214.91 Connecting to www.rfxn.com|174.36.214.91|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 793,126 (775K) [application/x-gzip] 100%[====================================>] 793,126 1.38M/s 03:00:32 (1.38 MB/s) - `maldetect-current.tar.gz' saved [793126/793126] root@server-orang [/backup]# tar -zxvf maldetect-current.tar.gz maldetect-1.4.1/ maldetect-1.4.1/README maldetect-1.4.1/files/ maldetect-1.4.1/files/quarantine/ maldetect-1.4.1/files/ignore_sigs maldetect-1.4.1/files/inotify/ maldetect-1.4.1/files/inotify/libinotifytools.so.0 maldetect-1.4.1/files/inotify/tlog maldetect-1.4.1/files/inotify/inotifywait maldetect-1.4.1/files/clean/ maldetect-1.4.1/files/clean/gzbase64.inject.unclassed maldetect-1.4.1/files/clean/base64.inject.unclassed maldetect-1.4.1/files/maldet maldetect-1.4.1/files/VERSION.hash maldetect-1.4.1/files/tmp/ maldetect-1.4.1/files/ignore_paths maldetect-1.4.1/files/modsec.sh maldetect-1.4.1/files/sess/ maldetect-1.4.1/files/hexstring.pl maldetect-1.4.1/files/internals.conf maldetect-1.4.1/files/ignore_inotify maldetect-1.4.1/files/pub/ maldetect-1.4.1/files/ignore_file_ext maldetect-1.4.1/files/sigs/ maldetect-1.4.1/files/sigs/hex.dat maldetect-1.4.1/files/sigs/maldet.sigs.ver maldetect-1.4.1/files/sigs/rfxn.hdb maldetect-1.4.1/files/sigs/rfxn.ndb maldetect-1.4.1/files/sigs/md5.dat maldetect-1.4.1/files/hexfifo.pl maldetect-1.4.1/files/conf.maldet maldetect-1.4.1/.ca.def maldetect-1.4.1/cron.d.pub maldetect-1.4.1/CHANGELOG maldetect-1.4.1/install.sh maldetect-1.4.1/COPYING.GPL maldetect-1.4.1/cron.daily root@server-orang [/backup]# cd maldetect-1.4.1/ rroot@server-orang [/backup/maldetect-1.4.1]# ls ./ .ca.def COPYING.GPL cron.d.pub install.sh* ../ CHANGELOG cron.daily* files/ README root@gudeg [/backup/maldetect-1.4.1]# ./install.sh Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks <proj@r-fx.org> (C) 2011, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(28813): {sigup} performing signature update check... maldet(28813): {sigup} local signature set is version 2011122411659 maldet(28813): {sigup} latest signature set already installed root@server-orang [/backup/maldetect-1.4.1]#
Scanning manual dapat dilakukan dengan command :
maldet -a /home/user/public_html
Konfigurasi aplikasi ini dapat di lihat di /usr/local/maldetect/conf.maldet
Saya pribadi mengkonfigurasi aplikasi ini untuk outclean dan quarantine, semua hasil scan yang dijalankan cron juga saya konfig agar terkirim via email sebagai report. Untuk details tentang aplikasi ini dapat dilihat di web vendor : http://www.rfxn.com/projects/linux-malware-detect/
MAN 2 Bekasi
wah tutorial yg bagus walau cukup rumit.
Salam…
jiem
kalau sudah di coba pasti lebih mudah mas 🙂