Linux Malware Detect, Debian, and Plesk

Package installation

The easiest way to install Linux Malware Detect will be to use a package. Jan Wagner has put a lot of effort into debianising LMD so a big shout out to him (his Github repo). I merely built the package from the repo.

So without further ado, here is the download.


Manual installation

Linux Malware Detect will not run out of the box in monitor mode (scan mode works fine) on a Debian system. There are a few things you need to do to get it working.

LMD comes with a 32-bit inotifywait binary and associated libinotifytools library. Debian Wheezy will not run 32-bit binaries out of the box. We can make it run 32-bit binaries but there’s a whole lot of additional packages you need to install, which we won’t do in order to keep things tidy.
We’ll first need to install the inotify-tools and libinotifytools0 packages which will put 64-bit versions of inotify on the system.

apt-get install inotify-tools libinotifytools0

In internals.conf, change the location of the inotifywait path to /usr/bin/inotifywait

sed -i -e"s/\$inspath\/inotify\/inotifywait/\/usr\/bin\/inotifywait/" /usr/local/maldetect/internals.conf

You may need to tweak inotify_base_watches if you have lots of paths/files.

Scanning the docroots

Now if you’re working with Plesk, you’ll only want LMD to monitor the docroots. Run the following to create a file with a list of all the docroots:

mysql -ss -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "select www_root from hosting;" > /usr/local/maldetect/maldetfilelist

You can then start LMD with:

maldet -m /usr/local/maldetect/maldetfilelist