search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.21k stars 234 forks source link

Monitor Summary missing detection name and path #227

Open K2rool opened 7 years ago

K2rool commented 7 years ago

Hi, i use Maldet to monitor paths which seem to be working fine, about 50% of the time the hit list in the monitor summary email is missing the name of the detection name and the path.

Here a example:

HOST:      web.*******.net
SCAN ID:   170409-1617.15658
STARTED:   Sun Apr  9 16:02:13 2017
TOTAL FILES:   1
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 170409-1617.15658

FILE HIT LIST:
ts/SharedResources/press.php
===============================================
Linux Malware Detect v1.6 < proj@rfxn.co

Am able to get the full information about it by greping event_log

Apr 09 16:10:27 host maldet(17495): {hit} malware hit {HEX}php.base64.v23au.186 found for /home/*Removed*/public_html/Scripts/Widgets/SharedResources/press.php

Ryan

Lonni93 commented 5 years ago

After more than two years seems the bug is stil presents :disappointed:

Here my example:

HOST:      web***.***********.com
SCAN ID:   191105-1500.8014
STARTED:   Nov  5 2019 14:48:47 +0100
MODE:      inotify digest
ELAPSED:   0d:0h:11m:15s
TOTAL FILES:   1
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 191105-1500.8014

FILE HIT LIST:
AV}Multios.Trojan.CryptocoinMiner-6448864-1 : /home/**********/www/virusz.zip
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

And of course, those files are present in the event_log (i'll post everything that is happened in that second):

Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/vhosts/test/virusz.zip
Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/www/imamonster
Nov 05 14:55:21 web201 maldet(4654): {hit} malware hit {CAV}Multios.Trojan.CryptocoinMiner-6448864-1 found for /home/web/**********/www/virusz.zip
Nov 05 14:55:21 web201 maldet(4654): {mon} scanned 3 new/changed files with clamav engine
Nov 05 14:55:21 web201 maldet(4654): {mon} inotify log file trimmed
Nov 05 14:57:21 web201 maldet(4654): {mon} warning clamd service not running; force-set monitor mode file scanning to every 120s

Honestly, i don't know what info should be usefull for debug, but I'll be happy to provide everything needed.

Francesco