Linux Malware Detect (LMD)

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 (free, open source) license, this is designed around the threats faced in shared hosted environments.

It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature, threats found on the TCH network of over 30,000 hosted domains and from malware community resources.

The result, is a malware scanner with over 2,200 signatures and growing, that detects a varied assortment of malware from the infamous Yellsoft Darkmailer CGI Mailer to the more common r57 PHP Command Shell to BASE64 Encoded file injection strings.

Installation & Configuration:

# wget

installation completed to /usr/local/maldetect

config file: /usr/local/maldetect/conf.maldet

exec file: /usr/local/maldetect/maldet

exec link: /usr/local/sbin/maldet

cron.daily: /etc/cron.daily/maldet

After that LMD is installed, take note of the file locations and we can go ahead with opening the configuration file located at /usr/local/maldetect/conf.maldet for editing.


This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.


This is a comma spaced list of e-mail addresses that should receive alerts.


This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.


This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.


Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.


This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.

If we wanted to scan all user public_html paths under /home*/ this can be done with:

# maldet –scan-all /home?/?/public_html

If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run:

# maldet –scan-recent /home?/?/public_html 5

If you performed a scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

# maldet –quarantine SCANID

Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:

# maldet –clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

# maldet –restore config.php.2384
# maldet –restore /usr/local/maldetect/quarantine/config.php.2384