I've installed Linux Malware Detect and ClamAV in my CentOS 7 server and seems it's all ok as it hits on the EICAR malware test files and does scheduled scans without issues.
The problem comes when I upload a real malware PHP file that I kept from a previous attack in an old shared webserver. Maldet doesn't sees it as a malicious file.
I know that all AV can miss some threats but in this case is a very very obvious infected file, IMO.
//footer.php
<?php
function nBMj($NrG)
{
$NrG=gzinflate(base64_decode($NrG));
for($i=0;$i<strlen($NrG);$i++)
{
$NrG[$i] = chr(ord($NrG[$i])-1);
}
return $NrG;
}
eval(nBMj("Some_base64_encoded_text"));
?>
This is a very common WordPress hack, and does not even has the suspicious functions obfuscated.
From Maldet developer's page:
Features
- statistical analysis component for detection of obfuscated threats (e.g: base64)
- cleaner rules to remove base64 and gzinflate(base64 injected malware
This is a web server with 10 to 20 sites running popular CMS like drupal and wordpress so the vast majority of attacks will be with this kind of file infections.
So, the question: I'm missing something? Is there any special configuration for base64/gzinflate scripts or it's a normal behaviour? Maybe Maldet w/ ClamAv is not the best tool for a webserver?
Best Answer
I added PHP Malware Signatures (from https://malware.expert/signatures/) to ClamAV and I successfully detected some of these threats in a WordPress website.