Linux Malware Detect, Debian, and Plesk

Package installation

The easiest way to install Linux Malware Detect will be to use a package. Jan Wagner has put a lot of effort into debianising LMD so a big shout out to him (his Github repo). I merely built the package from the repo.

So without further ado, here is the download.

maldetect_1.4.2+dfsg-13_all.deb

Manual installation

Linux Malware Detect will not run out of the box in monitor mode (scan mode works fine) on a Debian system. There are a few things you need to do to get it working.

LMD comes with a 32-bit inotifywait binary and associated libinotifytools library. Debian Wheezy will not run 32-bit binaries out of the box. We can make it run 32-bit binaries but there’s a whole lot of additional packages you need to install, which we won’t do in order to keep things tidy.
We’ll first need to install the inotify-tools and libinotifytools0 packages which will put 64-bit versions of inotify on the system.

apt-get install inotify-tools libinotifytools0

In internals.conf, change the location of the inotifywait path to /usr/bin/inotifywait

sed -i -e"s/\$inspath\/inotify\/inotifywait/\/usr\/bin\/inotifywait/" /usr/local/maldetect/internals.conf

You may need to tweak inotify_base_watches if you have lots of paths/files.

Scanning the docroots

Now if you’re working with Plesk, you’ll only want LMD to monitor the docroots. Run the following to create a file with a list of all the docroots:

mysql -ss -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "select www_root from hosting;" > /usr/local/maldetect/maldetfilelist

You can then start LMD with:

maldet -m /usr/local/maldetect/maldetfilelist