Linux Malware Detection - Malware in LMD folder found

sedsiv

2/18/24, 8:53 PM

I recently ran a full scan of my Ubuntu 22.04 LTS system and maldet reported these two files:

maldet(3692653): {quar} malware quarantined from '/home/davids/LMD/maldetect-current/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed' to '/usr/local/maldetect/quarantine/gzbase64.inject.unclassed.668712263'
maldet(3692653): {quar} malware quarantined from '/home/davids/LMD/maldetect-current/maldetect-1.6.4/files/sigs/rfxn.yara' to '/usr/local/maldetect/quarantine/rfxn.yara.1568928915'

I found it strange, that they both are in the LMD folder. Is LMD not safe?

I followed the instruction of this link

The OS I use is ubuntu 22.04 lts.

157

1 + 5

malware

guiverc

2/18/24, 9:39 PM

What OS & release are you using? ie. what Ubuntu product are you running?

user535733

2/18/24, 10:15 PM

As written, this seems to be asking for opinion-based answers, which we frown upon. Reverse the question and ask yourself (not us): Do you trust the community that produced the software?

sedsiv

2/18/24, 10:52 PM

@user535733 It doesn't make sense to me. If the developers of LMD placed those malware files on purpose, then why not hide it from the software or any other way to make them undetectable by LMD, their own program. Their web display seems trustworthy, they seem to have developed couple of other trustworthy software, the source code is on github and publicly viewable. Doesn't seem shady to me.

user535733

2/19/24, 3:49 AM

Then it seems like you have answered your own question: You have done your research and judged that the software is safe.

sedsiv

2/19/24, 10:24 AM

I merely want to understand why the devs put those files in the folder where LMD is automatically installed and not hiding it. It seems very strange because it doesn't make sense at all.

Score:2

Ubuntu

sedsiv

2/19/24, 1:54 PM

Found the answer on serverfault.com.

However, the locations where the malware was found are on directories where either CalmAV or MalDet stores their signature files. Also, to be active, the detected malware should be in the original form (MIME type application/x-httpd-php), which it is not. The signature files must contain enough information about the malware in order to detect it, which may cause false positives when the signature files are scanned with a malware detection tool.

So apparently these two files are signature files used by MalDet to identify malware.

+ 1

Elder Geek

3/8/24, 6:15 PM

Completely unsurprising. Congratulations on finding your own solution. Cheers!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Linux Malware Detection - Malware in LMD folder found

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.