maldet doesn't work after restart server

Usif Nasirov

Active Member
Jun 11, 2016
28
4
3
Baku
cPanel Access Level
Reseller Owner
maybe somebody had a run-in with this issue.
I have maldet on my server. so but after reboot server , there aren't new scan id

I reboot the server on 12 feb. but after this it doesn't check and give me new SCANID


Feb 12 2020 03:42:29 | SCANID: 200212-0342.9883 | RUNTIME: 52s | FILES: 1478 | HITS: 0 | CLEANED: 0
Feb 11 2020 03:14:51 | SCANID: 200211-0314.15429 | RUNTIME: 97s | FILES: 1963 | HITS: 0 | CLEANED: 0
Feb 10 2020 03:32:22 | SCANID: 200210-0332.5311 | RUNTIME: 283s | FILES: 12253 | HITS: 0 | CLEANED: 0
Feb 9 2020 03:25:50 | SCANID: 200209-0325.8536 | RUNTIME: 98s | FILES: 1751 | HITS: 0 | CLEANED: 0
Feb 8 2020 03:31:34 | SCANID: 200208-0331.13655 | RUNTIME: 105s | FILES: 2882 | HITS: 0 | CLEANED: 0
Feb 7 2020 03:22:57 | SCANID: 200207-0322.21509 | RUNTIME: 113s | FILES: 3432 | HITS: 0 | CLEANED: 0
Feb 6 2020 03:09:22 | SCANID: 200206-0309.8487 | RUNTIME: 52s | FILES: 1525 | HITS: 0 | CLEANED: 0
Feb 5 2020 03:30:03 | SCANID: 200205-0330.7820 | RUNTIME: 72s | FILES: 1519 | HITS: 0 | CLEANED: 0
Feb 4 2020 03:21:52 | SCANID: 200204-0321.8633 | RUNTIME: 50s | FILES: 1493 | HITS: 0 | CLEANED: 0
Feb 3 2020 03:13:09 | SCANID: 200203-0313.22574 | RUNTIME: 50s | FILES: 2131 | HITS: 0 | CLEANED: 0
Feb 2 2020 03:33:22 | SCANID: 200202-0333.7713 | RUNTIME: 91s | FILES: 2934 | HITS: 0 | CLEANED: 0
Feb 1 2020 03:43:30 | SCANID: 200201-0343.26284 | RUNTIME: 71s | FILES: 1545 | HITS: 0 | CLEANED: 0
Jan 31 2020 03:19:14 | SCANID: 200131-0319.28498 | RUNTIME: 108s | FILES: 3569 | HITS: 0 | CLEANED: 0


what could it be? what is wrong I don't have any idea
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
How were you running it previously?

There are a few different ways

You can run it through a cron - if this was how it was done previously you'd need to check the crontab to ensure it's still there and ensure that it's not giving you an error
You can also run it in "monitor" mode as is explained in the help for maldet when you run maldet --help:

Code:
    -m, --monitor USERS|PATHS|FILE|RELOAD
       Run maldet with inotify kernel level file create/modify monitoring
       If USERS is specified, monitor user homedirs for UID's > 500
       If FILE is specified, paths will be extracted from file, line spaced
       If PATHS are specified, must be comma spaced list, NO WILDCARDS!
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

you might also check to see what's in maldet --log
 

Usif Nasirov

Active Member
Jun 11, 2016
28
4
3
Baku
cPanel Access Level
Reseller Owner
No, dont't have any problem with manual run. just maldet every day scan . and I get mail about scannig. if I did maldet --report list I saw what is scannet today. jsut after restart server maldet stopped checking. so when I run this command maldet --report list I saw only old information.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
You might check for the corn being present. Per their README:

Code:
.: 10 [ CRON DAILY ]

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used
to perform a daily update of signatures, keep the session, temp and quarantine
data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports a variety of control panel systems or standard Linux
/home*/user paths.

If you are running monitor mode, the daily scans will be skipped and instead a
daily report will be issued for all monitoring events.

If you need to scan additional paths, you should review the cronjob and use one
of the customization hook files, such as '/usr/local/maldetect/cron/custom.cron',
to write in custom scanning execution. For configuration based cron changes, you
can redefine any conf.maldet variables at '/etc/sysconfig/maldet' or
'/usr/local/maldetect/cron/conf.maldet.cron'.

You may want to check with them specifically for further information, this isn't something that cPanel provides or maintains. Their site can be found here: Linux Malware Detect – R-fx Networks
 

Usif Nasirov

Active Member
Jun 11, 2016
28
4
3
Baku
cPanel Access Level
Reseller Owner
maybe I can't explain ))
I do nothing, but if I reboot server the maldet stop scannig auto, cron and everything is ok.
If I reinstall maldet agai is good work untill reboot server. If I can't explain, I will not try again )
Have a nice day!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Hello,


I understand what's happening and that does definitely sound like an issue but what I am trying to explain is that is not something cPanel manages. I am not sure why this is occurring but you would need to check the configuration for maldet and ensure that it is always running in monitor mode. Most likely it might be that when the server reboots, maldet is not restarted in that mode.