1

I've installed Linux Malware Detect and ClamAV in my CentOS 7 server and seems it's all ok as it hits on the EICAR malware test files and does scheduled scans without issues.

The problem comes when I upload a real malware PHP file that I kept from a previous attack in an old shared webserver. Maldet doesn't sees it as a malicious file.

I know that all AV can miss some threats but in this case is a very very obvious infected file, IMO.

//footer.php
<?php 
function nBMj($NrG)
{
    $NrG=gzinflate(base64_decode($NrG));
    for($i=0;$i<strlen($NrG);$i++)
    {
        $NrG[$i] = chr(ord($NrG[$i])-1);
    }
    return $NrG;
}
eval(nBMj("Some_base64_encoded_text"));
?>

This is a very common Wordpress hack, and does not even has the suspicious functions obfuscated.

From Maldet developer's page:

Features

  • statistical analysis component for detection of obfuscated threats (e.g: base64)
  • cleaner rules to remove base64 and gzinflate(base64 injected malware

This is a web server with 10 to 20 sites running popular CMS like drupal and wordpress so the vast majority of attacks will be with this kind of file infections.

So, the question: I'm missing something? Is there any special configuration for base64/gzinflate scripts or it's a normal behaviour? Maybe Maldet w/ ClamAv is not the best tool for a webserver?

campsjos
  • 125
  • 7

2 Answers2

2

I added PHP Malware Signatures (from https://malware.expert/signatures/) to ClamAV and I successfully detected some of these threats in a WordPress website.

jawira
  • 136
  • 2
  • Thank you, I've been testing it for a week and works like a charm. And to be honest... It found more malware than I expected :( – campsjos Apr 20 '18 at 08:49
1

I'm missing something?

Basically yes. The point that tools like maldet and clamav are not there to provide you with 100% detection rate and malware protection. Even enterprise-class antivirus solutions is likely to fail that - but, from my experience (some of them) are much better than those two.

maldet and clamav are here to get you rid of whole bunch of malware - and, believe me, that is a lot of them. The second part of your question is regarding missing of some very well-known malware. Unfortunately, it happens. This is subject of discussion.

To me it is shocking that these two fails to detect b374k Shell. But again, it happens and proves that, even if detection rate were 99.9% one should not plan security strategy by relying on quality of antimalware scanner.

Just to add 2¢ more in this answer: file with PHP code provided in question will certainly be marked as suspicious with Shell Detector. But, get ready for possibly many false positives. You'll have to eyeball-check and whitelist them.

Miloš Đakonović
  • 682
  • 3
  • 9
  • 28
  • Many thanks for your answer @Miloshio, obviously no antivirus can have a 100% of detection rate, I was just wondering if this is a good choice for a webserver after seeing it missing that kind of "common" infected file. I'll check that Shell Detector. Thanks again! – campsjos Apr 23 '17 at 21:05