linux-malware-detect
linux-malware-detect copied to clipboard
rfxn
How exactly maldet suspends accounts and how to unsuspend them?
Because of false positives with webalizer log files reported on https://github.com/rfxn/linux-malware-detect/issues/318 an account was reported suspended as follows:
HOST: ns1.custom.com
SCAN ID: 181223-0838.23527
STARTED: Sat Dec 22 10:58:42 2018
TOTAL FILES: 3
TOTAL HITS: 3
TOTAL CLEANED: 0
SUSPENDED ACCOUNTS:
custom
FILE HIT LIST:
{YARA}r57shell_php_php : /home/custom/domains/tape.custom.com/public_html/stats/webalizer.current => /usr/local/maldetect/quarantine/webalizer.current.1101527510
{YARA}r57shell_php_php : /home/custom/domains/tape.custom.com/public_html/stats/webalizer.current => /usr/local/maldetect/quarantine/webalizer.current.1690619778
{YARA}r57shell_php_php : /home/custom/domains/tape.custom.com/public_html/stats/webalizer.current => /usr/local/maldetect/quarantine/webalizer.current.2088230569
===============================================
Linux Malware Detect v1.6.3 < [email protected] >
however Virtualmin control panel, which is installed on the server, does not show the custom account as suspended. So I wonder how exactly Maldet suspends accounts and how we could un-suspend them in Maldet context?
it seems that it changes :/bin/bash to :/bin/false in /etc/password
This seems correct, I am able to "resume" suspended accounts with:
usermod -s /bin/bash {username}
