[ SEA-GHOST MINI SHELL]

cat > /usr/local/maldetect/conf.maldet <<EOF
#
##
# Linux Malware Detect v1.6.5
#             (C) 2002-2023, R-fx Networks <proj@r-fx.org>
#             (C) 2023, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
##
# [ General Options ]
##

# Enable or disable e-mail alerts, this includes application version
# alerts as well as automated/manual scan reports. On-demand reports
# can still be sent using '--report SCANID user@domain.com'.
# [0 = disabled, 1 = enabled]
email_alert="$email_alert"

# The destination e-mail addresses for automated/manual scan reports
# and application version alerts.
# [ multiple addresses comma (,) spaced ]
email_addr="$email_addr"

# Ignore e-mail alerts for scan reports in which all malware hits
# have been automatically and successfully cleaned.
# [0 = disabled, 1 = enabled]
email_ignore_clean="1"

# Enable user alerts for specific web hosting control panels. If hits are detected,
# attempt to determine the web hosting control in use, if any. If a control
# panel is detected, determine the user contact information from the panel's
# toolset and send an email summary of the detected hits to that user.
# The list of hits will be limited to files owned by the panel user/account in question.
# Disabling alerts globally with email_alert will also disable this function.
email_panel_user_alerts="$email_panel_user_alerts"

# The from header that will be set on alerts to control panel users. This should
# be set by any web hosts that will be supporting the control panel users/accounts 
# on this server.
email_panel_from="$email_panel_from"

# The reply-to header that will be set on alerts to control panel users. This should
# be set by any web hosts that will be supporting the control panel users/accounts 
# on this server.
email_panel_replyto="$email_panel_replyto"

# The subject that will be used on alerts to control panel account contacts
email_panel_alert_subj="$email_panel_alert_subj"

# Enable or disable slack alerts, this will upload the scan report as a file
# into one or more slack channels
# [0 = disabled, 1 = enabled]
slack_alert="$slack_alert"

# The file name of the file that will be uploaded to slack channel(s)
slack_subj="$slack_subj"

# Slack authentication token.
# Requires scope: files:write:user
# more information https://api.slack.com/methods/files.upload
slack_token="$slack_token"

# Comma-separated list of channel names or IDs
# where the scan report will be shared.
slack_channels="$slack_channels"

# This controls the daily automatic updates of LMD signature files
# and cleaner rules. The signature update process preserves any
# custom signature or cleaner files. It is highly recommended that this
# be enabled as new signatures a released multiple times per-week.
# [0 = disabled, 1 = enabled]
autoupdate_signatures="1"

# This controls the daily automatic updates of the LMD installation.
# The installation update process preserves all configuration options
# along with custom signature and cleaner files. It is recommended that
# this be enabled to ensure the latest version, features and bug fixes
# are always available.
# [0 = disabled, 1 = enabled]
autoupdate_version="1"

# This controls validating the LMD executable MD5 hash with known
# good upstream hash value. This allows LMD to replace the the
# executable / force a reinstallation in the event the LMD executable
# is tampered with or corrupted. If you intend to make customizations
# to the LMD executable, you should disable this feature.
# [0 = disabled, 1 = enabled]
autoupdate_version_hashed="1"

# The retention period, in days, which quarantine, temporary files and stale
# session information should be retained. Data older than this value is deleted
# with the daily cron execution.
cron_prune_days="$cron_prune_days"

# This controls whether or not daily automatic scanning of standard web
# directories is performed via cron.
# [0 = disabled, 1 = enabled]
cron_daily_scan="1"

# When defined, the import_config_url option allows a configuration file to be
# downloaded from a remote URL. The local conf.maldet and internals.conf are
# parsed followed by the imported configuration file. As such, only variables
# defined in the imported configuration file are overridden and a full set of
# configuration options is not explicitly required in the imported file.
import_config_url="$import_config_url"

# The expiry interval for refreshing the local cached version of the imported
# configuration file. The default is every 12h (43200 sec) which should be ok
# for most setups.
import_config_expire="$import_config_expire"

# When defined, the import_custsigs_*_url options allow for the custom signature
# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
# SIGNATURE FILES! It is recommended for large-scale deployments to define these
# variables within a import_config_url file.
import_custsigs_md5_url="$import_custsigs_md5_url"
import_custsigs_hex_url="$import_custsigs_hex_url"

##
# [ SCAN OPTIONS ]
##

# The maximum directory depth that the scanner will search, a value
# of 15 is recommended.
# [ changing this may have an impact on scan performance ]
scan_max_depth="$scan_max_depth"

# The minimum file size in bytes for a file to be included in LMD scans.
# [ changing this may have an impact on scan performance ]
scan_min_filesize="$scan_min_filesize"

# The maximum file size for a file to be included in LMD scans. Accepted
# value formats are b, k, M. When using the clamscan engine, the max_filesize
# will be dynamically set based on the largest known filesize from the MD5
# hash signature file.
# [ changing this may have an impact on scan performance ]
scan_max_filesize="2048k"

# The maximum byte depth that the scanner will search into a files content.
# The default signature rules expect a depth size of at least 65536 bytes.
# [ changing this may have an impact on scan performance ]
scan_hexdepth="65536"

# Use named pipe (FIFO) for passing file contents hex data instead of stdin
# default; improved performance and greater scanning depth. This is highly
# recommended and works on most systems. The hexfifo will be disabled
# automatically if for any reason it can not be successfully utilized.
# [ 0 = disabled, 1 = enabled ]
scan_hexfifo="$scan_hexfifo"

# The maximum byte depth that the scanner will search into a files content
#s when using named pipe (FIFO). Improved performance allows for greater
# scan depth over default scan_hexdepth value.
# [ changing this may have an impact on scan performance ]
scan_hexfifo_depth="524288"

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="$scan_clamscan"

# Include the scanning of known temporary world-writable paths for
# -a|--al and -r|--recent scan types.
scan_tmpdir_paths="/tmp /var/tmp /dev/shm"

# Allows non-root users to perform scans. This must be enabled when
# using mod_security2 upload scanning or if you want to allow users
# to perform scans. When enabled, this will populate 'pub/' with user
# owned quarantine, session and temporary paths to facilitate scans.
# [ 0 = disabled, 1 = enabled, disabled by default ]
scan_user_access="$scan_user_access"

# Process CPU scheduling (nice) priority level for scan operations.
# [ -19 = high prio , 19 = low prio, default = 19 ]
scan_cpunice="$scan_cpunice"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
scan_ionice="$scan_ionice"

# Set hard limit on CPU usage for find and clam(d)scan processes. This
# requires the 'cpulimit' binary to be available on the server. The values
# are expressed as relative percentage * N cores on system. An 8 CPU core
# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
scan_cpulimit="$scan_cpulimit"

# As a design and common use case, LMD typically only scans user space paths
# and as such it makes sense to ignore files that are root owned. It is
# recommended to leave this enabled for best performance.
# [ 0 = disabled, 1 = enabled ]
scan_ignore_root="$scan_ignore_root"

# This allows for specific user or groups to be ignored entirely from scan
# file lists. This option should be used with care and is not ideal for
# ignoring false positives. Instead, you should use one of the ignore files,
# such as ignore_paths, to exclude a specific file name or path from scans.
# [ comma or white spaced list of user and group names ]
scan_ignore_user="$scan_ignore_user"
scan_ignore_group="$scan_ignore_group"

# The maximum amount of time, in seconds, that the 'find' file list generation
# will run before it is terminated. All 'find' results up to the point of
# termination will be fully scanned. If performing a full scan of all user paths
# on a large server, it is reasonable to expect the find operation may take a
# long time to complete and as such this feature may interfere. In such cases,
# this feature can be disabled/modified on a per-scan basis using the
# '-co|--config-option' CLI option, such as:
# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
# [ 0 = disabled, 14400 = 4hr recommended timeout ]
scan_find_timeout="$scan_find_timeout"

# The daily cron 'find' operation performed by LMD detects recently created/modifed
# user files. This 'find' operation can be especially resource intensive and it may
# be desirable to persist the file list results so that other applications/tasks
# may make use of the results. When scan_export_filelist is set enabled, the most
# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
# [ 0 = disabled, 1 = enabled ]
scan_export_filelist="$scan_export_filelist"

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="$quarantine_hits"

# Try to clean string based malware injections
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = clean]
quarantine_clean="$quarantine_clean"

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quarantine_hits=1 required]
# [0 = disabled, 1 = suspend account]
quarantine_suspend_user="$quarantine_suspend_user"

# The minimum userid value that can be suspended
# [ default = 500 ]
quarantine_suspend_user_minuid="$quarantine_suspend_user_minuid"

# When using an external scan engine, such as ClamAV, should files be
# quarantined if an error from the scanner engine is received?
# This is defaulted to 1, always quarantine, as ClamAV generates an
# error exit code for trivial errors such as file not found. As such, a
# large percentage of scans will have ClamAV exiting with error code 2.
# [ 0 = do not quarantine, 1 = always quarantine ]
quarantine_on_error="$quarantine_on_error"

##
# [ MONITORING OPTIONS ]
##
# The default startup option for monitor mode, either 'users' or path to line
# spaced file containing local paths to monitor.
#
# This option is optional for the init based startup script, maldet.sh. This
# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is
# present with a defined value for $MONITOR_MODE.
#
# This option is REQUIRED for the systemd maldet.service script. That script
# only checks for the value of $default_monitor_mode. The service will fail to
# start if a value is not provided.
# default_monitor_mode="users"
# default_monitor_mode="/usr/local/maldetect/monitor_paths"
default_monitor_mode="$default_monitor_mode"

# The base number of files that can be watched under a path
# [ maximum file watches = inotify_base_watches*users ]
inotify_base_watches="16384"

# The sleep time in seconds between monitor runs to scan files
# that have been created/modified/moved
inotify_sleep="30"

# The interval in seconds that inotify will reload configuration
# data, including remote configuration imports.
inotify_reloadtime="3600"

# The minimum userid that will be added to path monitoring when
# the USERS option is specified
inotify_minuid="$inotify_minuid"

# This is the html/web root for users relative to homedir, when
# this option is set, users will only have the webdir monitored
# [ comma spaced list, clear option to default monitor user homedir ]
inotify_docroot="public_html,public_ftp"

# Process CPU scheduling (nice) priority level for monitoring process.
# [ -19 = high prio , 19 = low prio, default = 15 ]
inotify_cpunice="$inotify_cpunice"

# Process IO scheduling (ionice) priority levels for scan operations.
# (uses cbq best-effort scheduling class [-c2])
# [ 0 = most favorable IO, 7 = least favorable IO ]
inotify_ionice="$inotify_ionice"

# Set hard limit on CPU usage for inotify monitoring processes. This requires
# the 'cpulimit' binary to be available on the server. The values are expressed
# as relative percentage * N cores on system. An 8 CPU core system would accept
# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
inotify_cpulimit="$inotify_cpulimit"

# Log every file scanned by inotify monitoring mode; this is not recommended
# and will drown out your 'event_log' file, intended only for debugging purposes.
inotify_verbose="0"

# Remote clamd support
# If you're running a dedicated clamd server, you can instruct clamdscan to use
# it instead of the local daemon (which doesn't even need to run). To use
# this you need to create a 'clamd.remote.conf' with:
#
# TCPSocket 3310
# TCPAddr clamd.example.com
#
#
# Enable connecting to a remote clamd service to conduct all file scanning
# offload from local system. This requires that clamdscan binary be available
# to the local system.
#
# Files being scanned are effectively piped to remote daemon, this can be very
# bandwidth intensive.
# [ 0 = disabled, 1 = enabled ]
scan_clamd_remote="$scan_clamd_remote"

# To instruct maldetect to use that config, enter the path to that file:
remote_clamd_config="$remote_clamd_config"

# If remote clamd doesn't respond properly, how many times should we retry
# the same file
remote_clamd_max_retry="$remote_clamd_max_retry"

# How many seconds to sleep between retrys
remote_clamd_retry_sleep="$remote_clamd_retry_sleep"

##
# [ STATISTICAL ANALYSIS ]
# This is a beta feature and as such should be used with caution.
# Currently, this feature can have a substantially negative impact
# on scan performance, especially with large file sets.
##
# The string length test is used to identify threats based on the
# length of the longest uninterrupted string within a file. This is
# useful as obfuscated code is often stored using encoding methods
# that produce very long strings without spaces (e.g: base64)
# [ string length in characters, default = 150000 ]
string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
string_length="150000"		# [ max string length ]
EOF