Maldet scanner for cPanel
Installation
=========
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
After running the install script , the installation will complete with in seconds and you will be provided with successful installation output, in this information some of the main configuration and usage related information provided is  below :installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
As you can see from above output the main configuration file for malware detect is located at below path :
/usr/local/maldetect/conf.maldet
The main cron is located at /etc/cron.daily/maldet
The configuration file is fully commented so you should be able to make out most options but lets take a moment to review the more important ones anyways.
email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.
email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.
quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
quar_clean
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.
quar_susp
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.
quar_susp_minuid
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.
Usage & Manual Scan
=================
If we wanted to scan all user public_html paths under /home*/ this can be done with:
maldet scan-all /home?/?/public_html
If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run:
maldet –scan-recent /home?/?/public_html 5
If you performed a scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:
maldet –quarantine SCANID
Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:
maldet –clean SCANID