Install Linux Malware Detect for WordPress on Debian 8 Jessie

Keeping your WordPress sites clean from malware infection is critical. Having an infected WordPress site can impair the user experience and consume unnecessary resources, slowing your site down. Many users will use WordPress plugins for scanning for malware. While this is great for shared hosting users who do not have shell access to their server, for those with a VPS or dedicated server can use a more robust solution.

Linux Malware Detect is an open source Malware scanner you can use to detect and clean malware infections on your WordPress web server. Linux Malware Detect is maintained by R-fx Neworks and hosted on github, they accept donations to help cover maintenance costs.

This tutorial will show you how to install Linux Malware Detect for WordPress on Debian Jessie, integrate it with ClamAV to speed up scanning and run a daily automated scan.

This should work on Ubuntu and other versions of Debian.

Install Linux Malware Detect for WordPress on Debian

First install ClamAV as it speeds up Linux Malware Detect scanning by using its engine

sudo apt-get install clamav -y

Now install Linux Malware Detect

cd /tmp
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xf maldetect-current.tar.gz
rm -rf maldetect-current.tar.gz
cd maldetect*
sudo bash install.sh

You should see this output showing that Linux Malware Detect installed successfully

Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks <[email protected]>
            (C) 2015, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(23212): {sigup} performing signature update check...
maldet(23212): {sigup} local signature set is version 2016040521114
maldet(23212): {sigup} new signature set (2016051412133) available
maldet(23212): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(23212): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(23212): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(23212): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(23212): {sigup} verified md5sum of maldet-clean.tgz
maldet(23212): {sigup} unpacked and installed maldet-clean.tgz
maldet(23212): {sigup} signature set update completed
maldet(23212): {sigup} 10824 signatures (8909 MD5 / 1915 HEX / 0 USER)

Updating Linux Malware Detect

It is critical to keep your malware detection signatures up to date.

Note that the daily cronjob will do this automatically.

sudo maldet --update-sigs

This is the expected output that Malware signatures are already up to date.

Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks <[email protected]>
            (C) 2015, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(25901): {sigup} performing signature update check...
maldet(25901): {sigup} local signature set is version 2016051412133
maldet(25901): {sigup} latest signature set already installed

To update the Linux Malware Detect software

sudo maldet --update-ver

You will see this output

Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks <[email protected]>
            (C) 2015, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(30137): {update} checking for available updates...
maldet(30137): {update} hashing install files and checking against server...
maldet(30137): {update} latest version already installed.

Perform scans on files changed within the last 7 days with Linux Malware Detect like this

sudo maldet --scan-recent /var/www 7

To scan all files in a folder with Linux Malware Detect us the -a or --scan-all switch

sudo maldet --scan-all /var/www

Configure Linux Malware Detect

By default Linux Malware Detect runs a daily cronjob to scan your WordPress folders if they are in the correct location. I will show you how to double check that Linux Malware detect is scanning the right folders containing your WordPress sites.

In this section we will configure email alerts from Linux Malware Detect if a WordPress infection is found.

nano /usr/local/maldetect/conf.maldet

Enable Email alerts by setting email_alert="1".

You must have postfix, sendmail or some other email daemon configured to send email like Mailgun (configuration guide posted soon).

Set the email address that will receive notifications in the email_addr variable.

Double check that Linux Malware Detect will clean infections if possible by setting quarantine_clean="1".

Make sure ClamAV is being used to speed up scanning by setting scan_clamscan="1".

If you only want to receive email alerts if there is a WordPress malware detection leave email_ignore_clean as the default.

If you always want to receive email alert set email_ignore_clean to 0

# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID [email protected]'.
# [0 = disabled, 1 = enabled]
email_alert="1"

# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="[email protected]"

# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"

# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="1"

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"

Hit Ctrl+X, Y and Enter to Save and Exit.

Configure Linux Malware Detect cronjob

Linux Malware Detect does some resource intensive scans by default, in this section you will target your WordPress installation directories.

Customize which folders Linux Malware Detect scans by changing the defaults it scans. Open its cronjob file.

sudo nano /etc/cron.daily/maldet

Find this line by using Ctrl+W and pasting /usr/local/apache.

# cpanel, interworx and other standard home/user/public_html setups
$inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1

Change it to match the location where you store your WordPress installs, here it is /var/www but it may be /var/www/html or somewhere else depending on your setup.

$inspath/maldet -b -r /var/www/ $scan_days >> /dev/null 2>&1

Ctrl+X, Y and Enter to Save and Exit.

Run the Linux Malware Detect cronjob manually

sudo bash /etc/cron.daily/maldet

Then check logs to make sure it ran correctly

sudo maldet -l

Output

Aug 04 18:31:26 wpbullet maldet(20264): {update} checking for available updates...
Aug 04 18:31:26 wpbullet maldet(20264): {update} hashing install files and checking against server...
Aug 04 18:31:27 wpbullet maldet(20264): {update} latest version already installed.
Aug 04 18:31:27 wpbullet maldet(20359): {sigup} performing signature update check...
Aug 04 18:31:27 wpbullet maldet(20359): {sigup} local signature set is version 2016063019179
Aug 04 18:31:27 wpbullet maldet(20359): {sigup} latest signature set already installed
Aug 04 18:31:27 wpbullet maldet(20446): {scan} launching scan of /var/www/ changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Aug 04 18:31:27 wpbullet maldet(20446): {scan} signatures loaded: 10904 (8987 MD5 / 1917 HEX / 0 USER)
Aug 04 18:31:28 wpbullet maldet(20446): {scan} building file list for /var/www/ of new/modified files from last 1 days, this might take awhile...
Aug 04 18:31:28 wpbullet maldet(20446): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Aug 04 18:31:28 wpbullet maldet(20446): {scan} executed /usr/bin/nice -n 19 /usr/bin/find /var/www/ /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -6947618c  -not -perm 000 -not -regex ""  -not -uid 0 -not -gid 0
Aug 04 18:31:38 wpbullet maldet(20446): {scan} file list completed in 10s, found 12 files...
Aug 04 18:31:38 wpbullet maldet(20446): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
Aug 04 18:31:38 wpbullet maldet(20446): {scan} scan of /var/www/ (12 files) in progress...
Aug 04 18:31:50 wpbullet maldet(20446): {scan} scan completed on /var/www/: files 12, malware hits 0, cleaned hits 0, time 22s
Aug 04 18:31:50 wpbullet maldet(20446): {scan} scan report saved, to view run: maldet --report 160804-1831.20446

If you did not set email_ignore_clean to 0 you can still make sure malware reports will be sent.

We can use the scanid from the test scan to send a test email message

sudo maldet --report 160804-1831.20446 [email protected]

You should get an email alert that looks like this

HOST:      wp-bullet.com
SCAN ID:   160805-0133.16132
STARTED:   Aug  5 2016 01:33:31 +0200
COMPLETED: Aug  5 2016 01:33:53 +0200
ELAPSED:   22s [find: 1s]

PATH:          /var/www/
RANGE:         1 days
TOTAL FILES:   11
TOTAL HITS:    0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.5 < [email protected] >

Sources

Official ClamAV Installation
ClamAV on Ubuntu Tutorial
Configure Malware Scanner