Maldet – Realtime Monitoring

The steps to be performed for that are as follows:

1. Perform a full server scan using maldet.

maldet -a /home/?/public_html

2. Once the scanning is completed, remove the cmdshells and bots and also remove the eval codes from the files. Make sure that no files contain vulnerable contents.
3. While installing maldet, a cron will be added in the folder /etc/cron.daily. Remove that file and create a file /root/ with the following content:


# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
	# if were on ensim, scan the last 2 days of file changes in fst roots
	if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
		# scan the last 2 days of file changes on home*/public_html
	        /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

4. Set 755 permission for the file /root/

chmod 755 /root/

5. Set a cron using the following command:

crontab -e
30 01 * * * sh /root/
/etc/init.d/crond restart

6. Now start the real time monitoring by running the command:

maldet --monitor /home

The details of the files like the file name, whether it was newly created or modified and the date will be added to the file /usr/local/maldet/inotify/inotify_log. Then daily at 01.30AM, it will check the files which were modified or newly created for the vulnerabilities and it will mail to the mail id that set in conf.maldet

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: