malmon - MALware MONitor
malmon is a small peace of software witch is very useful
for web hosting server (and not only).
It uses inotify (pyinotify) no monitor file system activity
and checks every new / movied / modified file (there's a file
size limit , so we can check only files smaller then X size).
Currently there two type of checks:
1). md5 sum check.
We have a db of md5 sums of some known
malware/exploits/backdoors and stuff like that
and we compare them to the md5 sum of the new/
2). hex signature check.
We check the file content and match it
agains another db with known hex signatures.
N.B.) Currently all definitions we are getting are
from the LMD project (http://rfxn.com)
This project is based on their ideas and way
1). Realtime file system monitoring.
2). md5 sum checks.
3). hex signature based checks.
4). exclude file (exclude list).
5). auto definition update at start.
6). Check only files smaller them some
size (size limit is set in the config)
7). Shitlist added. A list of forbiden filenames
This will move all files with name found in
the shitlist, without doing any checks.
What's to come:
1). Add MIME Type check.
2). Add spam-filter like checks.
We will analyze the file, and match
any strings that are often found in
Every sting will have factor, and
after the analyze is done, we check
what factor has the file get, and if
its bigger then allowed we'll add
warning to the log/stdout (depending
in what mode is the daemon running)
3). Separate the md5sums and hex sig. files
from the rfxn project and make our own.
4). Add walk option, so the daemon can
the foliders and check files older
then X something (days/hours and so on)
5). Add support to monitor multiple directories
at the same time.
6). Add multiple analazying thread for servers
with more file activity.
7). Add warn/paranoid mode option.
In paranoid mode (default) we mode all
infections to the quarantine dir.
In warn mode, we will only print them
in the log/stdout, without moving them.
8). Make definitions update while running, not
only at start.
/usr/local/sbin/malmon - The daemon
/etc/malmon - Configuration dir
/etc/malmon/malmon.conf - Config file
/etc/malmon/black.list - Backlist file (supports reg expr)
/etc/malmon/exclude.list - Exclude list (supports reg expr)
/var/cache/malmon - The daemon cache directory
/var/cache/malmon/infections - Where to move all infected files.
malmon depends only on 2 things.
1). inotify kernel support (CONFIG_INOTIFY_USER=y)
2). pyinotify module (http://pyinotify.sourceforge.net/)
If you have them both, you're good to go :]
......... i'm 2 lazy to finish the README now .... more - later.