Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. #!/bin/bash
  2. #
  3. ##
  4. # Linux Malware Detect v1.4.1
  5. #             (C) 2002-2011, R-fx Networks <proj@r-fx.org>
  6. #             (C) 2011, Ryan MacDonald <ryan@r-fx.org>
  7. # inotifywait (C) 2007, Rohan McGovern  <rohan@mcgovern.id.au>
  8. # This program may be freely redistributed under the terms of the GNU GPL v2
  9. ##
  10. #
  11.  
  12. ##
  13. # [ EMAIL ALERTS ]
  14. ##
  15. # The default email alert toggle
  16. # [0 = disabled, 1 = enabled]
  17. email_alert=1
  18.  
  19. # The subject line for email alerts
  20. email_subj="maldet alert from $(hostname)"
  21.  
  22. # The destination addresses for email alerts
  23. # [ values are comma (,) spaced ]
  24. email_addr="thiago.laurito@gmail.com"
  25.  
  26. # Ignore e-mail alerts for reports in which all hits have been cleaned.
  27. # This is ideal on very busy servers where cleaned hits can drown out
  28. # other more actionable reports.
  29. email_ignore_clean=0
  30.  
  31. ##
  32. # [ QUARANTINE OPTIONS ]
  33. ##
  34. # The default quarantine action for malware hits
  35. # [0 = alert only, 1 = move to quarantine & alert]
  36. quar_hits=1
  37.  
  38. # Try to clean string based malware injections
  39. # [NOTE: quar_hits=1 required]
  40. # [0 = disabled, 1 = clean]
  41. quar_clean=1
  42.  
  43. # The default suspend action for users wih hits
  44. # Cpanel suspend or set shell /bin/false on non-Cpanel
  45. # [NOTE: quar_hits=1 required]
  46. # [0 = disabled, 1 = suspend account]
  47. quar_susp=0
  48. # minimum userid that can be suspended
  49. quar_susp_minuid=500
  50.  
  51. ##
  52. # [ SCAN OPTIONS ]
  53. ##
  54. # The maximum directory depth that the scanner will search
  55. # [ changing this may have an impact on scan performance ]
  56. maxdepth=15
  57.  
  58. # The minimum in bytes for a file to be included in a scan
  59. # [ changing this may have an impact on scan performance ]
  60. minfilesize=32
  61.  
  62. # The maximum file size for a file to be included in scan
  63. # search results; use man find for accepted values
  64. # [ changing this may have an impact on scan performance ]
  65. maxfilesize="768k"
  66.  
  67. # The maximum byte depth that the scanner will search into
  68. # a files contents; default rules expect a 1024*60 depth
  69. # [ changing this may have an impact on scan performance ]
  70. hexdepth=61440
  71.  
  72. # Use named pipe (FIFO) for passing file contents hex data
  73. # instead of stdin default; improved performance and greater
  74. # scanning depth
  75. # [ 0 = disabled, 1 = enabled; enabled by default ]
  76. hex_fifo_scan=1
  77.  
  78. # The maximum byte depth that the scanner will search into
  79. # a files contents; default rules expect a 1024*60 depth
  80. # [ changing this may have an impact on scan performance ]
  81. hex_fifo_depth=524288
  82.  
  83. # Attempt to detect the presence of ClamAV clamscan binary
  84. # and use as default scanner engine; up to four times faster
  85. # scan performance and superior hex analysis. This option
  86. # only uses ClamAV as the scanner engine, LMD signatures
  87. # are still the basis for detecting threats.
  88. # [ 0 = disabled, 1 = enabled; enabled by default ]
  89. clamav_scan=1
  90.  
  91. # Allow non-root users to perform malware scans. This must be
  92. # enabled when using mod_security2 upload scanning or if you
  93. # want to allow users to perform scans. When enabled, this will
  94. # populate the /usr/local/maldetect/pub/ path with user owned
  95. # quarantine, session and temporary paths to faciliate scans.
  96. # These paths are populated through cron every 10min with the
  97. # /etc/cron.d/maldet_pub cronjob.
  98. public_scan=0
  99.  
  100. ##
  101. # [ STATISTICAL ANALYSIS ]
  102. ##
  103. # The string length test is used to identify threats based on the
  104. # length of the longest uninterrupted string within a file. This is
  105. # useful as obfuscated code is often stored using encoding methods
  106. # that produce very long strings without spaces (e.g: base64)
  107. # [ string length in characters, default = 150000 ]
  108. string_length_scan="1"      # [ 0 = disabled, 1 = enabled ]
  109. string_length="150000"      # [ max string length ]
  110.  
  111. ##
  112. # [ MONITORING OPTIONS ]
  113. ##
  114. # The base number of files that can be watched under a path
  115. # [ maximum file watches = inotify_base_watches*users ]
  116. inotify_base_watches=15360
  117.  
  118. # The sleep time in seconds between monitor runs to scan files
  119. # that have been created/modified/moved
  120. inotify_stime=30
  121.  
  122. # The minimum userid that will be added to path monitoring when
  123. # the USERS option is specified
  124. inotify_minuid=500
  125.  
  126. # This is the html/web root for users relative to homedir, when
  127. # this option is set, users will only have the webdir monitored
  128. # [ clear option to default monitor entire user homedir ]
  129. #inotify_webdir=public_html
  130. inotify_webdir=/var/www/htdocs
  131. # The priority that monitoring process will run as
  132. # [ -19 = high prio , 19 = low prio, default = 10 ]
  133. inotify_nice=10