Linux Malware Detect
Shell-native malware scanner built from real-world threat data
The most widely deployed open source malware scanner purpose-built for Linux servers. LMD uses threat intelligence from network edge intrusion detection systems to generate signatures for malware that is actively being used in attacks. Pure Bash. No agents. No daemons. No dependencies. If it has a shell, it runs LMD.
DEPLOYED ACROSS NIST · NATO CCDCOE · AWS · STANFORD · HETZNER · OVH · 100,000+ SERVERS
$ clamscan /home/user/public_html/
/home/user/public_html/index.php: OK
/home/user/public_html/wp-config.php: OK
/home/user/public_html/uploads/thumb_cache.php: OK
----------- SCAN SUMMARY -----------
Infected files: 0
$ maldet -a /home/user/public_html/
Linux Malware Detect v1.6.6.1
maldet(21135): {scan} 247 files scanned: 1 hits 0 cleaned
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.365 :
/home/user/public_html/uploads/thumb_cache.phpTraditional AV wasn't built for user-space threats
Enterprise antivirus products target OS-level threats — trojans, ransomware, rootkits. They consistently miss the malware that actually targets Linux servers: PHP web shells disguised as image caches, base64-encoded backdoors injected into legitimate files, obfuscated uploaders hidden in plugin directories, and account-level exploits that never touch the kernel.
These threats live entirely in user space. They're deployed through compromised CMS plugins, stolen FTP credentials, and application vulnerabilities — not through OS exploits. Detecting them requires signatures built from the same environment they target.
PHP web shells
c99, r57, WSO
Injected backdoors
base64_decode()
Obfuscated uploaders
eval(gzinflate())
Mailer scripts
phpmailer exploits
Threat Intelligence
Signatures from the front line
Most antivirus signature databases are built from research submissions and honeypots. LMD's signatures come from a different source entirely: malware actively intercepted at the network edge.
Network edge IPS systems detect malicious payloads in real time — exploit attempts, uploaded shells, injected code targeting live servers.
Captured malware is analyzed to produce detection artifacts — file hashes, hex byte patterns, YARA rules, and statistical profiles.
Signatures enter the LMD database across four detection types. Community submissions and ClamAV cross-referencing expand coverage daily.
maldet -u pulls the latest signatures. Auto-export to ClamAV format means both engines stay current with a single update.
15,432
total signatures
11,525
MD5 hashes
2,231
HEX patterns
1,598
YARA rules
Every signature traces back to a real intrusion observed at the network edge — not a theoretical sample from a research database.
Detection Architecture
Four layers, because real malware evades any single one
Every file passes through four independent detection stages. Exact-match hashing catches known threats instantly. Pattern matching catches variants. YARA rules handle complex multi-condition logic. Statistical analysis catches what obfuscation tries to hide. A hit at any layer triggers the configured response.
MD5 Hash
Instant identification of exact matches against known malware file hashes
HEX Patterns
Byte-level pattern rules that catch threat families and variants evading hash matching
YARA Rules
Multi-condition pattern matching for complex, polymorphic threats that require contextual analysis
Statistical Analysis
Entropy and encoding analysis to detect obfuscated payloads — base64, gzinflate, and eval constructs
Architecture
Shell-native by design, not by accident
LMD is pure Bash. Not a compiled binary with a shell wrapper. Not a Python script with pip dependencies. The entire scanner — detection engine, signature management, quarantine, reporting — is a readable shell script.
This is a deliberate choice with real consequences for security, deployment, and trust.
$ file /usr/local/maldetect/maldet
/usr/local/maldetect/maldet: Bourne-Again shell script, ASCII text executable
$ wc -l /usr/local/maldetect/maldet
4,892 /usr/local/maldetect/maldetFully auditable
Every line of the scanner is readable text. No compiled blobs, no minified code. You can review exactly what runs on your server.
Zero dependency attack surface
No JVM vulnerabilities. No Python supply-chain risks. No package manager to compromise. The only requirement is /bin/bash.
Universal deployment
Minimal Alpine containers, Debian servers, CentOS bare-metal, embedded systems. If it has a shell interpreter, it runs LMD.
Trivial integration
Ansible, Puppet, Salt, or plain scp — deploying LMD is copying a script. No package repositories to configure, no runtime to install.
Negligible footprint
Zero resource usage when idle. Proportional CPU during scans. No background daemons, no persistent memory allocation, no open ports.
In Practice
Scan, detect, respond — from the command line
LMD provides multiple scanning modes for different operational needs, plus a complete response workflow from quarantine through cleanup.
On-Demand Scanmaldet -a /path
Full recursive scan of any path. Scan all user home directories, a single site, or specific directories. Background mode available for unattended operation on large file sets.
$ maldet -a /home/user/public_htmlReal-Time Monitoringmaldet --monitor /path
Kernel inotify-based monitoring watches for file creates, modifies, and moves in real time. Dynamic sysctl limit tuning ensures the kernel can handle the watch count without manual configuration.
$ maldet --monitor /homeRecent Changes Scanmaldet -r /path 7
Scan only files modified in the last N days. The daily cron job uses this mode to scan recent changes in user home directories — efficient and focused.
$ maldet -r /home 7 # files changed in last 7 daysHTTP Upload Scanningmod_security2 hook
Integrate with Apache mod_security2 inspectFile to scan every file upload at the web server layer. Malicious uploads are rejected before they reach the filesystem — the earliest possible interception point.
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
"id:99999,phase:2,deny,log,msg:'Malware upload blocked'"When threats are found
Quarantine
Infected files moved to a secure queue with permissions stripped
Clean
Surgical removal of injected strings — base64, gzinflate, eval
Report
Full scan reports with hit lists, email alerts, audit trails
Checkout
Submit suspected malware to rfxn.com for community review
Comparison
How LMD stacks up
LMD occupies a unique position — purpose-built for user-space threats where traditional AV and rootkit hunters fall short.
| Feature | LMDv1.6.6.1 | ClamAV | rkhunter | Sophos |
|---|---|---|---|---|
| Web malware detection (PHP shells, injectors) | ||||
| User-space threat-specific signatures | ||||
| Real-time inotify monitoring | ||||
| Shell-native (zero runtime dependencies) | ||||
| Statistical analysis (base64/obfuscation) | ||||
| mod_security upload scanning | ||||
| Automated quarantine & clean | ||||
| Free & open source (GPL v2) |
LMD + ClamAV together provide the most comprehensive open source scanning solution. LMD automatically exports its signatures to ClamAV format when both are installed.
75.6k
3d
130.4k
7d
603.3k
30d
1.76M
90d
6.92M
1y
Mar 9 — Mar 12
Get Started
Install in 30 seconds
No package managers, no repositories to configure, no dependencies to install. Clone, run the installer, and you're scanning.
$ git clone https://github.com/rfxn/linux-malware-detect.git
$ cd linux-malware-detect
$ sudo ./install.shAfter Installation
LMD installs to /usr/local/maldetect and registers a daily cron job automatically.
# Update signatures
$ maldet -u
# Run your first scan
$ maldet -a /home
# Enable real-time monitoring
$ maldet --monitor /home
# View scan reports
$ maldet --report list# ready to protect your servers?git clone https://github.com/rfxn/linux-malware-detect.git && cd linux-malware-detect && ./install.sh