IMPORTANT
Maldet and ClamAV installation requires that your server has at least 2GB of RAM.
Introduction
If you have a Panel or Developer account with vCanopy, then you can get access to our integrated malware scanning solution: Maldet + ClamAV.
MALDET
Maldet is short for Linux Malware Detect. This is a software package that scans for malware on Linux systems and has been designed with hosting environments in mind. It’s been created to address threats in a shared hosting environment which, for our purposes, is vastly superior to regular anti-virus solutions that typically have a poor track record of detecting malware on the user account level.
For more information see: https://www.rfxn.com/projects/linux-malware-detect/
CLAMAV®
ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates.
Source: https://www.clamav.net/about
MALDET+CLAMAV®
Maldet configures itself to use the ClamAV engine, and then scans your servers looking for signatures of thousands of instances of known malware, and then logging the results. It’s important to note that these are not malware cleaners and you will need to take care of any malware found. If malware is found on your server, please check out this guide and take action ASAP – ideally immediately:
Moving a Website that’s had a Malware Infection
Maldet and ClamAV to work together to do scans of your WordPress websites and deliver the results directly in your vCanopy dashboard.
Activation: Installing Maldet+ClamAV
To install Maldet+ClamAV on your server, first connect over SSH – see the following articles to get started:
Step 1. Generate your SSH Key
Step 2. Add your SSH Key to vCanopy (also see Add default SSH Keys)
Step 3. Connect to your server by SSH as Root user (we like and use Termius)
Run the following command:
gp stack maldet -install
The installation may take a few minutes to complete, and it will let you know if it can’t install due to a lack of RAM.
Once installed, Maldet runs a daily scan and will send dashboard notifications and slack alerts at the end of each scan.
UNINSTALL MALDET
If you ever want to uninstall Maldet in the future, run the following:
gp stack maldet -uninstall
Change the Daily Scan Time
Maldet runs as a part of our gpdailyworker. We set the gpdailyworker cron at a random time between midnight and 5AM (approx). This can be changed via the root crontab and you could change this to run at another time that’s more convenient for your server if it makes sense for your use case.
WARNING: PROCEED WITH CAUTION
Editing the root crontab incorrectly could have serious consequences for your server.
STEP 1. MAKE A COPY
Use the following command to display your crontab and then copy this (simply highlight it in most cases to copy) into a text doc for safe keeping.
crontab -l
Now you have a copy you can use for restore purposes just in case.
EDITING THE CRONTAB
You can open the crontab for editing with:
crontab -e
Look for this line:
26 3 * * * /usr/local/bin/gpdailyworker >>/opt/vCanopy/gpdailyworker.log
Edit the timing to suit your needs, just make sure it doesn’t overlap with other cronjobs. You can refer to crontab guru if you need help:
Save with CTRL+O and then Enter. Exit with CTRL+X.
Run a Scan Manually
To run a scan manually, this will scan all sites on your server:
gp site all-sites -maldet-scan
To scan a specific site you can run (replacing site.url for your website’s domain):
gp site site.url -maldet-scan -all
If you use any of the above commands manually it will also send a report to the dashboard/slack with the scan ID.
Malware Scanning Server Logs
Apart from giving notifications inside your account, all scan results are logged, and you can view these directly inside your server.
If Maldet finds an infection on the server, there will be a record in Maldet log files. This record will have both the website and location of the infection.
The Maldet scan report file is found here:
/opt/vCanopy/maldet-all-sites-report.ids
While the more detailed log file is found here:
/opt/vCanopy/maldet-all-sites-scan.log
You can also view general scan data with the following:
cat /usr/local/maldetect/logs/event_log
Viewing Your Logs
If you’ve received a notification that malware has been scanned, you can view your logs directly inside your server as detailed below.
STEP 1. SSH INTO YOUR SERVER
Please see the guides above to get started.
STEP 2. OPEN THE REPORT LOG
There’s a couple of ways you can view your scan data. One is to view an overview of the scan reports as follows:
cat /opt/vCanopy/maldet-all-sites-report.ids
Here you will a list of all report data that looks like this:
....
Dec 01 04:18:13 server-name-here maldet(8501): {scan} scan report saved, to view run: maldet --report 201201-0402.8501
Dec 02 04:18:01 server-name-here maldet(23409): {scan} scan report saved, to view run: maldet --report 201202-0402.23409
Dec 03 04:17:11 server-name-here maldet(20418): {scan} scan report saved, to view run: maldet --report 201203-0402.20418
Dec 04 04:17:16 server-name-here maldet(22121): {scan} scan report saved, to view run: maldet --report 201204-0402.22121
Dec 05 04:16:57 server-name-here maldet(30020): {scan} scan report saved, to view run: maldet --report 201205-0402.30020At the end of each line the log gives you the command to run view that scans data. In the example above, this would be as follows:
maldet --report 201205-0402.30020
Alternatively, you can view ALL scan data with he following command (Side note – PuTTY doesn’t handle displaying large amounts of data like this very well):
cat /opt/vCanopy/maldet-all-sites-scan.log
STEP 3. ASSESS THE REPORT
If malware has been detected, your report will look something like this:
HOST: server-name-here
SCAN ID: 201204-0324.8335
STARTED: Dec 5 2020 04:06:59 +0000
COMPLETED: Dec 5 2020 04:17:54 +0000
ELAPSED: 5155s [find: 16s]
PATH:
RANGE: 1 days
TOTAL FILES: 431438
TOTAL HITS: 2
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 201204-0324.8335
FILE HIT LIST:
{HEX}php.gzbase64.inject.452 : /var/www/yourwebsite.com/htdocs/wp-content/updraft/backup_2020-11-29-0105_Example_Name_48gfdce5d14f351-db.gz
{HEX}php.gzbase64.inject.452 : /home/system-user-name/sites/yourwebsite.com/htdocs/wp-content/updraft/backup_2020-11-29-0105_Example_Name_48gfdce5d14f351-$
===============================================
Linux Malware Detect v1.6.4 < [email protected] >Here we can see that it’s flagged two specific files.
How you proceed from this point onwards will depend on the type of infection, but typically it’s always best to consult a professional who specializes in malware cleanup (Thomas Raef from wewatchyourwebsite.com is an excellent choice, and he regularly contributes in the Facebook group and has written for us here in the KB) so that you can assess where the breach came from and prevent it from happening again in the future.
As noted in the introduction, please also check out the following guide:
Maldet may sometimes incorrectly flag the 6g.log or 7g.log as malware. For example:
Editing the root crontab incorrectly could have serious consequences for your server.
FILE HIT LIST:
{YARA}eval_post : /home/sytem-user-name/sites/website.com/logs/6g.log
{YARA}eval_post : /var/www/website.com/logs/6g.log
Log Exclusions
Maldet does have some ability to ignore certain file types or directories, and if you’re getting false positives from your logs you can take measures to exclude them.
Unfortunately, these are not granular enough for us to be comfortable excluding them by default.
There are two options, one is to set them to ignore all .log files, and the other is to have it ignore the /logs directory in the site directory.
Since the log directory is in the userspace we are not comfortable defaulting to having the malware scanning avoid this directory as the PHP user has access to it and if a vulnerable plugin was compromised then this would be a directory where compromised files could reside.
However, if you would like to exclude the log directory locations, you can do so by following the 2 steps below.
STEP 1. SSH INTO YOUR SERVER
Please see the guides listed above to get started.
STEP 2. ADD THE EXCLUSION
Run the following command to open up the file we need to edit:
nano /usr/local/maldetect/ignore_paths
Next, add the following two lines to the file:
/home/.*/sites/.*/logs
/var/www/.*/logs/
Finally, save the file with CTRL+O and then Enter, and then exit nano with CTRL+X.
Your exclusion is now in place.
Automatic Quarantine
vCanopy intentionally leaves the default behavior of Maldet, which means alerts are active, but not quarantining suspicious files automatically is not. This is due to the potential repercussions of quarantining a false positive, which could potentially take your whole website offline.
If you still want to go ahead and activate automatic quarantine, you can do so by editing the Maldet config file which is located here:
/usr/local/maldetect/conf.maldet
Edit the file with nano and then change the value of quarantine_hits to 1.
For more information on Maldet, please check the following manual:
https://www.rfxn.com/appdocs/README.maldetect
Report Malware to Maldet
If you’ve found Malware that the Maldet scan has missed, you can reported this to Maldet to rfxn.com for review & hashing into signatures.
To do this, use the following command:
maldet -c path/to/file
For example:
maldet -c /var/www/example.com/htdocs/wp-content/plugins/plugin-name/dodgyaf.php