falco: monitor application behaviour

If you remember sysdig, it’s a highly useful utility to trace and profile a Linux system. The sysdig team has introduced a new utility – falco. falco extends sysdig to monitor behavioral activity on Linux and guard it against any anomalous activity in applications. While falco primarily targets containers, it works directly on Linux too. Continue reading falco: monitor application behaviour

Nikto2 & PatrolServer: check server vulnerabilities

security_compWe explored testssl earlier to keep your system safe from SSL vulnerabilities. But SSL is not the only package that might have security issues. If you care about your headless server you might want to have a solid resistance including as many packages as possible.
Continue reading Nikto2 & PatrolServer: check server vulnerabilities

Magento CMS users, beware of Linux ransomware!

A ransomware encrypts data on your system and asks for payment to decrypt them. They are existing for a while now. However, attacks on Linux haven’t been heard of. It seems that we have encountered the first registered ransomware attacking Linux systems (codenamed Linux.Encoder.1). Continue reading Magento CMS users, beware of Linux ransomware!

rkhunter: detect rootkits

medical_compRootkits are a kind of malicious software which typically enable access to unauthorized users to a computer. It’s quite difficult to detect a rootkit as it may be able to subvert the software that is intended to find it. rkhunter (Rootkit Hunter) is a Linux utility to detect rootkits (and other system problems). Continue reading rkhunter: detect rootkits

Sophos Antivirus Basic for Linux

Linux is considered to be a very secure OS in general. However, attacks mechanisms are on the rise and nothing is so secure anymore. Having a firewall configured and antivirus protection enabled is more of a necessity on all systems. Linux has its share of strong antivirus solutions and Sophos Antivirus has joined the list with a free basic version. Continue reading Sophos Antivirus Basic for Linux

Linux Malware Detect: boost security

medical_compLinux has its own share of antivirus suites like Clam or AVG. But speaking of malware, the drawback from which these suites suffer is they concentrate primarily on OS level trojans, rootkits and traditional file-infecting viruses; user account level malwares are missed. The fact is, malware are on the rise.

Linux Malware Detect (LMD) is a project by R-fx Networks that aims at detecting and cleansing malware using information from several sources. The project was driven by the data on malware detection rate by 30 major antivirus products. They ran an analysis on these AV products with 5,393 core malware MD5 hashes. 81% remained undetected and there’s only 48% detection rate for the rest of the 19%!

LMD targets shared hosted environments where malware threats are more. It uses a signature based detection mechanism and receives its data from 4 sources:

  • Network Edge IPS: Daily abuse events on (over 35K) web servers logged by network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and finally that malware is retrieved, reviewed, classified and signatures generated.
  • Community Data: Data aggregated from community malware websites such as clean-mx and malwaredomainlist.
  • ClamAV: The HEX & MD5 detection signatures from ClamAV.
  • User Submission: LMD has a checkout feature that allows users to submit suspected malware for review.

LMD 1.4.0 has a total of 7,241 (5393 MD5 / 1848 HEX) signatures (before updates).

Features

  • MD5 file hash detection for quick threat identification
  • HEX based pattern matching for identifying threat variants
  • statistical analysis component for detection of obfuscated threats (e.g: base64)
  • integrated detection of ClamAV to use as scanner engine for improved performance
  • integrated signature update feature with -u|–update
  • integrated version update feature with -d|–update-ver
  • scan-recent option to scan only files that have been added/changed in X days
  • scan-all option for full path based scanning
  • checkout option to upload suspected malware to rfxn.com for review / hashing
  • full reporting system to view current and previous scan results
  • quarantine queue, batching, restore, suspend
  • cleaner rules to attempt removal of malware injected strings
  • cleaner batching option to attempt cleaning of previous scan reports
  • cleaner rules to remove base64 and gzinflate(base64 injected malware
  • daily cron based scanning of all changes in last 24h in user homedirs
  • daily cron script compatible with stock RH style systems, Cpanel & Ensim
  • kernel based inotify real time file scanning of created/modified/moved files
  • kernel inotify monitor that can take path data from STDIN or FILE
  • kernel inotify monitor convenience feature to monitor system users
  • kernel inotify monitor can be restricted to a configurable user html root
  • kernel inotify monitor with dynamic sysctl limits for optimal performance
  • kernel inotify alerting through daily and/or optional weekly reports
  • HTTP upload scanning through mod_security2 inspectFile hook
  • e-mail alert reporting after every scan execution (manual & daily)
  • path, extension and signature based ignore options
  • background scanner option for unattended scan operations
  • verbose logging & output of all actions

Installation

To install LMD, run the following:

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -zxvf maldetect-current.tar.gz
$ cd maldetect*
$ ./install.sh

Usage

LMD adds itself as a cron job which is used to update signatures daily, keep the session, temp and quarantine data to no more than 14 days old and run a daily scan of recent file system changes.

The configuration file for LMD is /usr/local/maldetect/conf.maldet. The file is well documented within to understand the options. By default public scanning is disabled. To check the options of LMD, run:

$ sudo maldet --help

Updates to the product are not performed automatically at the time of writing. To do a manual update (if available), run:

$ sudo maldet -d

By default LMD has the auto-quarantine of files disabled, this will mean that YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the ‘-q’ option to batch quarantine the results. This can be changed by setting quar_hits=1 in conf.maldet.

The inotify monitoring feature is designed to monitor users in real-time for file creation/modify/move operations. There are three monitoring modes (USERS / PATHS / FILES). E.g.:

$ sudo maldet --monitor users
$ sudo maldet --monitor /root/monitor_paths
$ sudo maldet --monitor /home/mike,/home/ashton

Webpage: Linux Malware Detect

Similar software