Looking for Lurg: Clamav, Maldet & PHP Malware


Thought Maldet would just find manky files, it didn’t, I just wanted it to see the obvious, it did eventually after I did..

1) Install Clam AV (By googling CentOS7 clamav as you do, cheers mate)

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

2) Configure daemon

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ā€˜/^Example/dā€™ /etc/clamd.d/clamd.conf


User clamscan
LocalSocket /var/run/clamd./clamd.sock

^^ I’d just sed that what I can be arsed

3) Configure FreshClam

cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ā€˜/^Example/dā€™ /etc/freshclam.conf

Add these, these actually did the trick, cheers malware friends

Add to..

vi /etc/freshclam.conf
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp

4) Create systemd service file

vi  /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
Description = freshclam scanner
After = network.target

Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true


5) Enable & start

systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service

6)update freshclam


… at this point clamAV caught my lurgs, but maldet and all that.

7) Install maldet (by copying and pasting from here, ta!

cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh

Delete /etc/cron.daily/maldet I don’t want it

rm /etc/cron.daily/maldet

8) Update version and virus signatures:

maldet -d && maldet -u

9)Run it

maldet -a /path/to

10 )I checked a lurgy file directly e.g.

maldet -a /path/to/lurg.php
Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks 
            (C) 2017, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(3338): {scan} signatures loaded: 15218 (12485 MD5 | 1954 HEX | 779 YARA | 0 USER)
maldet(3338): {scan} building file list for /path/to/lurg.php, this might take awhile...
maldet(3338): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(3338): {scan} file list completed in 0s, found 1 files...
maldet(3338): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(3338): {scan} scan of /path/to/lurg.php (1 files) in progress...
maldet(3338): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(3338): {scan} scan completed on /path/to/lurg.php: files 1, malware hits 1, cleaned hits 0, time 18s
maldet(3338): {scan} scan report saved, to view run: maldet --report 123456-6789.0098
maldet(3338): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 123456-6789.0098