{"id":11906,"date":"2022-03-23T23:26:02","date_gmt":"2022-03-23T20:26:02","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11906"},"modified":"2024-03-09T10:59:22","modified_gmt":"2024-03-09T07:59:22","slug":"install-linux-malware-detect-on-ubuntu-22-04-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-linux-malware-detect-on-ubuntu-22-04-ubuntu-20-04\/","title":{"rendered":"Install Linux Malware Detect on Ubuntu 22.04\/Ubuntu 20.04"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to install Linux Malware Detect on Ubuntu 22.04\/Ubuntu 20.04. <a href=\"https:\/\/www.rfxn.com\/projects\/linux-malware-detect\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux Malware Detect<\/a>, LMD, is an opensource malware scanner for Linux designed to be used in shared hosted environments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Install Linux Malware Detect on Ubuntu 22.04\/Ubuntu 20.04<\/h2>\n\n\n\n<p>LMD utilizes data from network edge IDS devices, user submissions or malware community resources to extract malware that is actively being used in attacks and generates signatures for detection.<\/p>\n\n\n\n<p>Some of the notable features for LMD include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5 file hash detection for quick threat identification<\/li>\n\n\n\n<li>HEX based pattern matching for identifying threat variants<\/li>\n\n\n\n<li>statistical analysis component for detection of obfuscated threats (e.g: base64)<\/li>\n\n\n\n<li>integrated detection of ClamAV to use as scanner engine for improved performance<\/li>\n\n\n\n<li>integrated signature update feature with -u|\u2013update<\/li>\n\n\n\n<li>integrated version update feature with -d|\u2013update-ver<\/li>\n\n\n\n<li>scan-recent option to scan only files that have been added\/changed in X days<\/li>\n\n\n\n<li>scan-all option for full path based scanning<\/li>\n\n\n\n<li>checkout option to upload suspected malware to rfxn.com for review \/ hashing<\/li>\n\n\n\n<li>full reporting system to view current and previous scan results<\/li>\n\n\n\n<li>quarantine queue that stores threats in a safe fashion with no permissions<\/li>\n\n\n\n<li>quarantine batching option to quarantine the results of a current or past scans<\/li>\n\n\n\n<li>quarantine restore option to restore files to original path, owner and perms<\/li>\n\n\n\n<li>quarantine suspend account option to Cpanel suspend or shell revoke users<\/li>\n\n\n\n<li>cleaner rules to attempt removal of malware injected strings<\/li>\n\n\n\n<li>cleaner batching option to attempt cleaning of previous scan reports<\/li>\n\n\n\n<li>cleaner rules to remove base64 and gzinflate(base64 injected malware<\/li>\n\n\n\n<li>daily cron based scanning of all changes in last 24h in user homedirs<\/li>\n\n\n\n<li>daily cron script compatible with stock RH style systems, Cpanel &amp; Ensim<\/li>\n\n\n\n<li>kernel based inotify real time file scanning of created\/modified\/moved files<\/li>\n\n\n\n<li>kernel inotify monitor that can take path data from STDIN or FILE<\/li>\n\n\n\n<li>kernel inotify monitor convenience feature to monitor system users<\/li>\n\n\n\n<li>kernel inotify monitor can be restricted to a configurable user html root<\/li>\n\n\n\n<li>kernel inotify monitor with dynamic sysctl limits for optimal performance<\/li>\n\n\n\n<li>kernel inotify alerting through daily and\/or optional weekly reports<\/li>\n\n\n\n<li>e-mail alert reporting after every scan execution (manual &amp; daily)<\/li>\n\n\n\n<li>path, extension and signature based ignore options<\/li>\n\n\n\n<li>background scanner option for unattended scan operations<\/li>\n\n\n\n<li>verbose logging &amp; output of all actionsMD5 file hash detection for quick threat identification<\/li>\n\n\n\n<li>HEX based pattern matching for identifying threat variants<\/li>\n\n\n\n<li>statistical analysis component for detection of obfuscated threats (e.g: base64)<\/li>\n\n\n\n<li>integrated detection of ClamAV to use as scanner engine for improved performance<\/li>\n\n\n\n<li>integrated signature update feature with -u|\u2013update<\/li>\n\n\n\n<li>integrated version update feature with -d|\u2013update-ver<\/li>\n\n\n\n<li>scan-recent option to scan only files that have been added\/changed in X days<\/li>\n\n\n\n<li>scan-all option for full path based scanning<\/li>\n\n\n\n<li>checkout option to upload suspected malware to rfxn.com for review \/ hashing<\/li>\n\n\n\n<li>full reporting system to view current and previous scan results<\/li>\n\n\n\n<li>quarantine queue that stores threats in a safe fashion with no permissions<\/li>\n\n\n\n<li>quarantine batching option to quarantine the results of a current or past scans<\/li>\n\n\n\n<li>quarantine restore option to restore files to original path, owner and perms<\/li>\n\n\n\n<li>quarantine suspend account option to Cpanel suspend or shell revoke users<\/li>\n\n\n\n<li>cleaner rules to attempt removal of malware injected strings<\/li>\n\n\n\n<li>cleaner batching option to attempt cleaning of previous scan reports<\/li>\n\n\n\n<li>cleaner rules to remove base64 and gzinflate(base64 injected malware<\/li>\n\n\n\n<li>daily cron based scanning of all changes in last 24h in user homedirs<\/li>\n\n\n\n<li>daily cron script compatible with stock RH style systems, Cpanel &amp; Ensim<\/li>\n\n\n\n<li>kernel based inotify real time file scanning of created\/modified\/moved files<\/li>\n\n\n\n<li>kernel inotify monitor that can take path data from STDIN or FILE<\/li>\n\n\n\n<li>kernel inotify monitor convenience feature to monitor system users<\/li>\n\n\n\n<li>kernel inotify monitor can be restricted to a configurable user html root<\/li>\n\n\n\n<li>kernel inotify monitor with dynamic sysctl limits for optimal performance<\/li>\n\n\n\n<li>kernel inotify alerting through daily and\/or optional weekly reports<\/li>\n\n\n\n<li>e-mail alert reporting after every scan execution (manual &amp; daily)<\/li>\n\n\n\n<li>path, extension and signature based ignore options<\/li>\n\n\n\n<li>background scanner option for unattended scan operations<\/li>\n\n\n\n<li>verbose logging &amp; output of all actions<\/li>\n<\/ul>\n\n\n\n<p>So how to do you install Linux Malware Detect on Ubuntu?<\/p>\n\n\n\n<p>First of all, LMD is not available on the default Ubuntu repositories. Thus, you have to build it from source.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Download LMD Source Tarball<\/h3>\n\n\n\n<p>You can download <a href=\"https:\/\/github.com\/rfxn\/linux-malware-detect\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">current release<\/a> version of LMD tarball by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget http:\/\/www.rfxn.com\/downloads\/maldetect-current.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Linux Malware Detect<\/h3>\n\n\n\n<p>Once the download is complete, extract the source code;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf maldetect-current.tar.gz<\/code><\/pre>\n\n\n\n<p>Next, navigate ti the source code directory and run <strong><code>install.sh<\/code><\/strong> script to install Linux Malware Detect on Ubuntu;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd maldetect-1.6.4\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo .\/install.sh<\/code><\/pre>\n\n\n\n<p>Sample installation output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/maldet.service \u2192 \/lib\/systemd\/system\/maldet.service.\nupdate-rc.d: error: unable to read \/etc\/init.d\/maldet\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@r-fx.org>\n            (C) 2019, Ryan MacDonald <ryan@r-fx.org>\nThis program may be freely redistributed under the terms of the GNU GPL\n\ninstallation completed to \/usr\/local\/maldetect\nconfig file: \/usr\/local\/maldetect\/conf.maldet\nexec file: \/usr\/local\/maldetect\/maldet\nexec link: \/usr\/local\/sbin\/maldet\nexec link: \/usr\/local\/sbin\/lmd\ncron.daily: \/etc\/cron.daily\/maldet\nmaldet(12260): {sigup} performing signature update check...\nmaldet(12260): {sigup} local signature set is version 201907043616\nmaldet(12260): {sigup} new signature set 20220322840957 available\nmaldet(12260): {sigup} downloading https:\/\/cdn.rfxn.com\/downloads\/maldet-sigpack.tgz\nmaldet(12260): {sigup} downloading https:\/\/cdn.rfxn.com\/downloads\/maldet-cleanv2.tgz\nmaldet(12260): {sigup} verified md5sum of maldet-sigpack.tgz\nmaldet(12260): {sigup} unpacked and installed maldet-sigpack.tgz\nmaldet(12260): {sigup} verified md5sum of maldet-clean.tgz\nmaldet(12260): {sigup} unpacked and installed maldet-clean.tgz\nmaldet(12260): {sigup} signature set update completed\nmaldet(12260): {sigup} 17272 signatures (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)\n<\/code><\/pre>\n\n\n\n<p>LMD will be installed as binary, <strong><code>maldet<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>which maldet<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/local\/sbin\/maldet<\/code><\/pre>\n\n\n\n<p>It is also installed as lmd.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>which lmd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/local\/sbin\/lmd<\/code><\/pre>\n\n\n\n<p>So you can use either <strong><code>lmd<\/code><\/strong> or <strong><code>maldet<\/code><\/strong> command for scanning.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Basic LMD Command Line Syntax<\/h3>\n\n\n\n<p>The basic maldet command line syntax is;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>maldet &#91;OPTION]<\/code><\/pre>\n\n\n\n<p>For example, to get the LMD command line command options help information, just run;<\/p>\n\n\n\n<pre id=\"help\" class=\"wp-block-code\"><code>sudo maldet -h<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nsignature set: 20220322840957\nusage \/usr\/local\/sbin\/maldet [ OPTION ]\n    -b, --background\n      Execute operations in the background, ideal for large scans\n      e.g: maldet -b -r \/home\/?\/public_html 7\n\n    -u, --update-sigs [--force]\n       Update malware detection signatures from rfxn.com\n\n    -d, --update-ver [--force]\n       Update the installed version from rfxn.com\n\n    -f, --file-list\n       Scan files or paths defined in line spaced file\n       e.g: maldet -f \/root\/scan_file_list\n\n    -r, --scan-recent PATH DAYS\n       Scan files created\/modified in the last X days (default: 7d, wildcard: ?)\n       e.g: maldet -r \/home\/?\/public_html 2\n\n    -a, --scan-all PATH\n       Scan all files in path (default: \/home, wildcard: ?)\n       e.g: maldet -a \/home\/?\/public_html\n\n    -i, --include-regex REGEX\n       Include paths\/files from file list based on supplied posix-egrep regular\n       expression.\n       e.g: To include only paths named wp-content and files ending in .php:\n       --include-regex \".*\/wp-content\/.*|.*.php$\"\n\n    -x, --exclude-regex REGEX\n       Exclude paths\/files from file list based on supplied posix-egrep regular\n       expression.\n       e.g: To exclude paths containing 'wp-content\/w3tc\/' and core files:\n       --exclude-regex \".*wp-content\/w3tc\/.*|.*core.[0-9]+$\"\n\n    -m, --monitor USERS|PATHS|FILE|RELOAD\n       Run maldet with inotify kernel level file create\/modify monitoring\n       If USERS is specified, monitor user homedirs for UID's > 500\n       If FILE is specified, paths will be extracted from file, line spaced\n       If PATHS are specified, must be comma spaced list, NO WILDCARDS!\n       e.g: maldet --monitor users\n       e.g: maldet --monitor \/root\/monitor_paths\n       e.g: maldet --monitor \/home\/mike,\/home\/ashton\n\n    -k, --kill-monitor\n       Terminate inotify monitoring service\n\n    -c, --checkout FILE\n       Upload suspected malware to rfxn.com for review & hashing into signatures\n\n    -l, --log\n       View maldet log file events\n\n    -e, --report SCANID email\n       View scan report of most recent scan or of a specific SCANID and optionally\n       e-mail the report to a supplied e-mail address\n       e.g: maldet --report\n       e.g: maldet --report list\n       e.g: maldet --report 050910-1534.21135\n       e.g: maldet --report SCANID user@domain.com\n\n    -s, --restore FILE|SCANID\n       Restore file from quarantine queue to orginal path or restore all items from\n       a specific SCANID\n       e.g: maldet --restore \/usr\/local\/maldetect\/quarantine\/config.php.23754\n       e.g: maldet --restore 050910-1534.21135\n\n    -q, --quarantine SCANID\n       Quarantine all malware from report SCANID\n       e.g: maldet --quarantine 050910-1534.21135\n\n    -n, --clean SCANID\n       Try to clean & restore malware hits from report SCANID\n       e.g: maldet --clean 050910-1534.21135\n\n    -U, --user USER\n       Set execution under specified user, ideal for restoring from user quarantine or\n       to view user reports.\n       e.g: maldet --user nobody --report\n       e.g: maldet --user nobody --restore 050910-1534.21135\n\n    -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE\n       Set or redefine the value of conf.maldet config options\n       e.g: maldet --config-option email_addr=you@domain.com,quarantine_hits=1\n\n    -p, --purge\n       Clear logs, quarantine queue, session and temporary data.\n\n    --web-proxy IP:PORT\n       Enable use of HTTP\/HTTPS proxy for all remote URL calls.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check Linux Malware Detect Version Information<\/h3>\n\n\n\n<p>If you want to check the version of the currently installed LMD, just run;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo maldet<\/code><\/pre>\n\n\n\n<p>Sample output. Version is shown on the first line;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>Linux Malware Detect v1.6.4<\/strong>\n            (C) 2002-2019, R-fx Networks &lt;proj@rfxn.com>\n            (C) 2019, Ryan MacDonald &lt;ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nsignature set: 20220322840957\nusage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]\n      [-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]\n      [-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]\n      [-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]\n      [-u|--update-sigs] [-d|--update-ver]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Updating LMD to Current Release Version<\/h3>\n\n\n\n<p>You can always update your LMD to the current release version by executing the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> sudo maldet -u<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nmaldet(15005): {sigup} performing signature update check...\nmaldet(15005): {sigup} local signature set is version 20220322840957\nmaldet(15005): {sigup} latest signature set already installed\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure LMD on Ubuntu<\/h3>\n\n\n\n<p>LMD uses <code><strong>\/usr\/local\/maldetect\/conf.maldet<\/strong><\/code> as its default configuration file. <\/p>\n\n\n\n<p>The default configurations are shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/usr\/local\/maldetect\/conf.maldet<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n##\n# Linux Malware Detect v1.6.4\n#             (C) 2002-2019, R-fx Networks <proj@r-fx.org>\n#             (C) 2019, Ryan MacDonald <ryan@r-fx.org>\n# This program may be freely redistributed under the terms of the GNU GPL v2\n##\n#\n##\n# [ General Options ]\n##\n\n# Enable or disable e-mail alerts, this includes application version\n# alerts as well as automated\/manual scan reports. On-demand reports\n# can still be sent using '--report SCANID user@domain.com'.\n# [0 = disabled, 1 = enabled]\nemail_alert=\"0\"\n\n# The destination e-mail addresses for automated\/manual scan reports\n# and application version alerts.\n# [ multiple addresses comma (,) spaced ]\nemail_addr=\"you@domain.com\"\n\n# Ignore e-mail alerts for scan reports in which all malware hits\n# have been automatically and successfully cleaned.\n# [0 = disabled, 1 = enabled]\nemail_ignore_clean=\"1\"\n\n# Enable or disable slack alerts, this will upload the scan report as a file\n# into one or more slack channels\n# [0 = disabled, 1 = enabled]\nslack_alert=\"0\"\n\n# The file name of the file that will be uploaded to slack channel(s)\nslack_subj=\"maldet alert from $(hostname)\"\n\n# Slack authentication token.\n# Requires scope: files:write:user\n# more information https:\/\/api.slack.com\/methods\/files.upload\nslack_token=\"AUTH_TOKEN\"\n\n# Comma-separated list of channel names or IDs\n# where the scan report will be shared.\nslack_channels=\"maldetreports\"\n\n# This controls the daily automatic updates of LMD signature files\n# and cleaner rules. The signature update process preserves any\n# custom signature or cleaner files. It is highly recommended that this\n# be enabled as new signatures a released multiple times per-week.\n# [0 = disabled, 1 = enabled]\nautoupdate_signatures=\"1\"\n\n# This controls the daily automatic updates of the LMD installation.\n# The installation update process preserves all configuration options\n# along with custom signature and cleaner files. It is recommended that\n# this be enabled to ensure the latest version, features and bug fixes\n# are always available.\n# [0 = disabled, 1 = enabled]\nautoupdate_version=\"1\"\n\n# This controls validating the LMD executable MD5 hash with known\n# good upstream hash value. This allows LMD to replace the the\n# executable \/ force a reinstallation in the event the LMD executable\n# is tampered with or corrupted. If you intend to make customizations\n# to the LMD executable, you should disable this feature.\n# [0 = disabled, 1 = enabled]\nautoupdate_version_hashed=\"1\"\n\n# The retention period, in days, which quarantine, temporary files and stale\n# session information should be retained. Data older than this value is deleted\n# with the daily cron execution.\ncron_prune_days=\"21\"\n\n# This controls whether or not daily automatic scanning of standard web\n# directories is performed via cron.\n# [0 = disabled, 1 = enabled]\ncron_daily_scan=\"1\"\n\n# When defined, the import_config_url option allows a configuration file to be\n# downloaded from a remote URL. The local conf.maldet and internals.conf are\n# parsed followed by the imported configuration file. As such, only variables\n# defined in the imported configuration file are overridden and a full set of\n# configuration options is not explicitly required in the imported file.\nimport_config_url=\"\"\n\n# The expiry interval for refreshing the local cached version of the imported\n# configuration file. The default is every 12h (43200 sec) which should be ok\n# for most setups.\nimport_config_expire=\"43200\"\n\n# When defined, the import_custsigs_*_url options allow for the custom signature\n# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM\n# SIGNATURE FILES! It is recommended for large-scale deployments to define these\n# variables within a import_config_url file.\nimport_custsigs_md5_url=\"\"\nimport_custsigs_hex_url=\"\"\n\n##\n# [ SCAN OPTIONS ]\n##\n\n# The maximum directory depth that the scanner will search, a value\n# of 10-15 is recommended.\n# [ changing this may have an impact on scan performance ]\nscan_max_depth=\"15\"\n\n# The minimum file size in bytes for a file to be included in LMD scans.\n# [ changing this may have an impact on scan performance ]\nscan_min_filesize=\"24\"\n\n# The maximum file size for a file to be included in LMD scans. Accepted\n# value formats are b, k, M. When using the clamscan engine, the max_filesize\n# will be dynamically set based on the largest known filesize from the MD5\n# hash signature file.\n# [ changing this may have an impact on scan performance ]\nscan_max_filesize=\"2048k\"\n\n# The maximum byte depth that the scanner will search into a files content.\n# The default signature rules expect a depth size of at least 65536 bytes.\n# [ changing this may have an impact on scan performance ]\nscan_hexdepth=\"65536\"\n\n# Use named pipe (FIFO) for passing file contents hex data instead of stdin\n# default; improved performance and greater scanning depth. This is highly\n# recommended and works on most systems. The hexfifo will be disabled\n# automatically if for any reason it can not be successfully utilized.\n# [ 0 = disabled, 1 = enabled ]\nscan_hexfifo=\"1\"\n\n# The maximum byte depth that the scanner will search into a files content\n#s when using named pipe (FIFO). Improved performance allows for greater\n# scan depth over default scan_hexdepth value.\n# [ changing this may have an impact on scan performance ]\nscan_hexfifo_depth=\"524288\"\n\n# If installed, use ClamAV clamscan binary as default scan engine which\n# provides improved scan performance on large file sets. The clamscan\n# engine is used in conjunction with native ClamAV signatures updated\n# through freshclam along with LMD signatures providing additional\n# detection capabilities.\n# [ 0 = disabled, 1 = enabled ]\nscan_clamscan=\"1\"\n\n# Include the scanning of known temporary world-writable paths for\n# -a|--al and -r|--recent scan types.\nscan_tmpdir_paths=\"\/tmp \/var\/tmp \/dev\/shm \/var\/fcgi_ipc\"\n\n# Allows non-root users to perform scans. This must be enabled when\n# using mod_security2 upload scanning or if you want to allow users\n# to perform scans. When enabled, this will populate 'pub\/' with user\n# owned quarantine, session and temporary paths to facilitate scans.\n# [ 0 = disabled, 1 = enabled, disabled by default ]\nscan_user_access=\"0\"\n\n# Process CPU scheduling (nice) priority level for scan operations.\n# [ -19 = high prio , 19 = low prio, default = 19 ]\nscan_cpunice=\"19\"\n\n# Process IO scheduling (ionice) priority levels for scan operations.\n# (uses cbq best-effort scheduling class [-c2])\n# [ 0 = most favorable IO, 7 = least favorable IO ]\nscan_ionice=\"6\"\n\n# Set hard limit on CPU usage for find and clam(d)scan processes. This\n# requires the 'cpulimit' binary to be available on the server. The values\n# are expressed as relative percentage * N cores on system. An 8 CPU core\n# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...\nscan_cpulimit=\"0\"\n\n# As a design and common use case, LMD typically only scans user space paths\n# and as such it makes sense to ignore files that are root owned. It is\n# recommended to leave this enabled for best performance.\n# [ 0 = disabled, 1 = enabled ]\nscan_ignore_root=\"1\"\n\n# This allows for specific user or groups to be ignored entirely from scan\n# file lists. This option should be used with care and is not ideal for\n# ignoring false positives. Instead, you should use one of the ignore files,\n# such as ignore_paths, to exclude a specific file name or path from scans.\n# [ comma or white spaced list of user and group names ]\nscan_ignore_user=\"\"\nscan_ignore_group=\"\"\n\n# The maximum amount of time, in seconds, that the 'find' file list generation\n# will run before it is terminated. All 'find' results up to the point of\n# termination will be fully scanned. If performing a full scan of all user paths\n# on a large server, it is reasonable to expect the find operation may take a\n# long time to complete and as such this feature may interfere. In such cases,\n# this feature can be disabled\/modified on a per-scan basis using the\n# '-co|--config-option' CLI option, such as:\n# \"maldet -co scan_find_timeout=0 -a \/home\/?\/public_html\".\n# [ 0 = disabled, 14400 = 4hr recommended timeout ]\nscan_find_timeout=\"0\"\n\n# The '-r|--recent' 'find' operation performed by LMD detects recently created\/modifed\n# user files. This 'find' operation can be especially resource intensive and it may\n# be desirable to persist the file list results so that other applications\/tasks\n# may make use of the results. When scan_export_filelist is set enabled, the most\n# recent result set will be saved to '\/usr\/local\/maldetect\/tmp\/find_results.last'\n# [ 0 = disabled, 1 = enabled ]\nscan_export_filelist=\"0\"\n\n##\n# [ QUARANTINE OPTIONS ]\n##\n# The default quarantine action for malware hits\n# [0 = alert only, 1 = move to quarantine & alert]\nquarantine_hits=\"0\"\n\n# Try to clean string based malware injections\n# [NOTE: quarantine_hits=1 required]\n# [0 = disabled, 1 = clean]\nquarantine_clean=\"0\"\n\n# The default suspend action for users wih hits\n# Cpanel suspend or set shell \/bin\/false on non-Cpanel\n# [NOTE: quarantine_hits=1 required]\n# [0 = disabled, 1 = suspend account]\nquarantine_suspend_user=\"0\"\n\n# The minimum userid value that can be suspended\n# [ default = 500 ]\nquarantine_suspend_user_minuid=\"500\"\n\n# When using an external scan engine, such as ClamAV, should files be\n# quarantined if an error from the scanner engine is received?\n# This is defaulted to 1, always quarantine, as ClamAV generates an\n# error exit code for trivial errors such as file not found. As such, a\n# large percentage of scans will have ClamAV exiting with error code 2.\n# [ 0 = do not quarantine, 1 = always quarantine ]\nquarantine_on_error=\"1\"\n\n##\n# [ MONITORING OPTIONS ]\n##\n# The default startup option for monitor mode, either 'users' or path to line\n# spaced file containing local paths to monitor.\n#\n# This option is optional for the init based startup script, maldet.sh. This\n# value is ignored when '\/etc\/sysconfig\/maldet' or '\/etc\/default\/maldet' is\n# present with a defined value for $MONITOR_MODE.\n#\n# This option is REQUIRED for the systemd maldet.service script. That script\n# only checks for the value of $default_monitor_mode. The service will fail to\n# start if a value is not provided.\ndefault_monitor_mode=\"users\"\n# default_monitor_mode=\"\/usr\/local\/maldetect\/monitor_paths\"\n\n# The base number of files that can be watched under a path,\n# this ends up being a relative value per-user in user mode.\n# [ maximum file watches = inotify_base_watches*users ]\ninotify_base_watches=\"16384\"\n\n# The sleep time in seconds between monitor runs to scan files\n# that have been created\/modified\/moved.\ninotify_sleep=\"15\"\n\n# The interval in seconds that inotify will reload configuration\n# data, including remote configuration imports and user signatures.\ninotify_reloadtime=\"3600\"\n\n# The minimum userid that will be added to path monitoring when\n# the USERS option is specified.\ninotify_minuid=\"500\"\n\n# This is the html\/web root for users relative to homedir, when\n# this option is set, users will only have the webdir monitored\n# [ comma spaced list, clear option to default monitor user homedir ]\ninotify_docroot=\"public_html,public_ftp\"\n\n# Process CPU scheduling (nice) priority level for scan operations.\n# [ -19 = high prio , 19 = low prio, default = 19 ]\ninotify_cpunice=\"18\"\n\n# Process IO scheduling (ionice) priority levels for scan operations.\n# (uses cbq best-effort scheduling class [-c2])\n# [ 0 = most favorable IO, 7 = least favorable IO ]\ninotify_ionice=\"6\"\n\n# Set hard limit on CPU usage for inotify monitoring processes. This requires\n# the 'cpulimit' binary to be available on the server. The values are expressed\n# as relative percentage * N cores on system. An 8 CPU core system would accept\n# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...\ninotify_cpulimit=\"0\"\n\n# Log every file scanned by inotify monitoring mode; this is not recommended\n# and will drown out your 'event_log' file, intended only for debugging purposes.\ninotify_verbose=\"0\"\n\n##\n# [ STATISTICAL ANALYSIS ]\n# This is an EXPERIMENTAL feature and should be used with caution.\n# Currently, this feature can have a substantially negative impact\n# on scan performance, especially with large file sets.\n##\n# The string length test is used to identify threats based on the\n# length of the longest uninterrupted string within a file. This is\n# useful as obfuscated code is often stored using encoding methods\n# that produce very long strings without spaces (e.g: base64)\n# [ string length in characters, default = 150000 ]\nstring_length_scan=\"0\"\t\t# [ 0 = disabled, 1 = enabled ]\nstring_length=\"150000\"\t\t# [ max string length ]\n<\/code><\/pre>\n\n\n\n<p>The file is highly commented to make it easy for you to read through the various configuration options and update them to suit your needs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running LMD for Malware Detection<\/h3>\n\n\n\n<p>Once you have configured your LMD as you see fit, you can then run either on command or as a service to detect malware in your system.<\/p>\n\n\n\n<p>To run LMD on command line, use either <strong><code>lmd<\/code><\/strong> or <strong><code>maldet<\/code><\/strong> commands.<\/p>\n\n\n\n<p>For example, to scan a specific directory to detect malware threats, simply execute;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo maldet -a \/PATH\/TO\/SCAN<\/code><\/pre>\n\n\n\n<p>Replace <strong><code>\/PATH\/TO\/SCAN<\/code><\/strong> with the path\/directory that you want to scan.<\/p>\n\n\n\n<p>For example, to scan entire home directory (default);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo maldet -a<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -a<\/code><\/pre>\n\n\n\n<p>NOTE: By default this will also include the following paths;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>scan_tmpdir_paths=\"<strong>\/tmp \/var\/tmp \/dev\/shm \/var\/fcgi_ipc<\/strong>\"<\/code><\/pre>\n\n\n\n<p>Sample scan outout;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nmaldet(19833): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)\nmaldet(19833): {scan} building file list for , this might take awhile...\nmaldet(19833): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6\nmaldet(19833): {scan} file list completed in 0s, found 162 files...\nmaldet(19833): {scan} scan of  (162 files) in progress...\nmaldet(19833): {scan} 162\/162 files scanned: 0 hits 0 cleaned\n\nmaldet(19833): {scan} scan completed on : files 162, malware hits 1, cleaned hits 0, time 12s\nmaldet(19833): {scan} scan report saved, to view run: maldet --report 220323-2127.19833\nmaldet(19833): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220323-2127.19833\n<\/code><\/pre>\n\n\n\n<p>To scan specific path, you need to specify the path;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -a \/home\/janoedoe<\/code><\/pre>\n\n\n\n<p>Sample scan output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nmaldet(33932): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)\nmaldet(33932): {scan} building file list for \/home\/janedoe\/, this might take awhile...\nmaldet(33932): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6\nmaldet(33932): {scan} file list completed in 0s, found 161 files...\nmaldet(33932): {scan} scan of \/home\/janedoe\/ (161 files) in progress...\nmaldet(33932): {scan} 161\/161 files scanned: 0 hits 0 cleaned\n\nmaldet(33932): {scan} scan completed on \/home\/janedoe\/: files 161, malware hits 0, cleaned hits 0, time 11s\nmaldet(33932): {scan} scan report saved, to view run: maldet --report 220323-2143.33932\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Viewing and Reading LMD Scan Reports<\/h3>\n\n\n\n<p>LMD generate report based on scan date and time. For example the above report is named <code>220323-2133.30630<\/code>.<\/p>\n\n\n\n<p>You can view the generated reports by passing the option <code><strong>-e\/--report list<\/strong><\/code> to either <strong><code>lmd<\/code><\/strong> or <strong><code>maldet<\/code><\/strong> command.<\/p>\n\n\n\n<p>For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -e list<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nMar  23  2022  21:43:45  |  SCANID:  220323-2143.33932  |  RUNTIME:  11s  |  FILES:  161  |  HITS:  0  |  CLEANED:  0\nMar  23  2022  21:33:01  |  SCANID:  220323-2133.30630  |  RUNTIME:  11s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0\nMar  23  2022  21:32:01  |  SCANID:  220323-2132.27967  |  RUNTIME:  11s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0\nMar  23  2022  21:30:15  |  SCANID:  220323-2130.25302  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0\nMar  23  2022  21:28:55  |  SCANID:  220323-2128.22489  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0\nMar  23  2022  21:27:08  |  SCANID:  220323-2127.19833  |  RUNTIME:  12s  |  FILES:  162  |  HITS:  1  |  CLEANED:  0\nMar  23  2022  21:24:18  |  SCANID:  220323-2124.16311  |  RUNTIME:  20s  |  FILES:  206  |  HITS:  3  |  CLEANED:  0\n<\/code><\/pre>\n\n\n\n<p>To read a report;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -e SCANID<\/code><\/pre>\n\n\n\n<p>For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -e 220323-2143.33932<\/code><\/pre>\n\n\n\n<p>LMD will open the report using your default text editor;<\/p>\n\n\n\n<p>Sample report;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nHOST:      ubuntu2204\nSCAN ID:   220323-2143.33932\nSTARTED:   Mar 23 2022 21:43:45 +0300\nCOMPLETED: Mar 23 2022 21:43:56 +0300\nELAPSED:   11s [find: 0s]\n\nPATH:          \/home\/janedoe\/\nTOTAL FILES:   161\nTOTAL HITS:    0\nTOTAL CLEANED: 0\n\n===============================================\nLinux Malware Detect v1.6.4 < proj@rfxn.com >\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Detecting Threats with LMD<\/h3>\n\n\n\n<p>You can test the efficiency of LMD to detect malicious threats by&nbsp;<a href=\"https:\/\/www.eicar.org\/?page_id=3950\" target=\"_blank\" rel=\"noreferrer noopener\">downloading anti-malware EICAR test file<\/a>&nbsp;to your specific system directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -P \/tmp https:\/\/secure.eicar.org\/eicar_com.zip<\/code><\/pre>\n\n\n\n<p>Next, run the scan (by default \/tmp, \/var\/tmp, \/dev\/shm, var\/fcgi_ipc are included in the scan);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo lmd -a<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nLinux Malware Detect v1.6.4\n            (C) 2002-2019, R-fx Networks <proj@rfxn.com>\n            (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nThis program may be freely redistributed under the terms of the GNU GPL v2\n\nmaldet(36978): {scan} signatures loaded: 17272 (14450 MD5 | 2039 HEX | 783 YARA | 0 USER)\nmaldet(36978): {scan} building file list for , this might take awhile...\nmaldet(36978): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6\nmaldet(36978): {scan} file list completed in 0s, found 323 files...\nmaldet(36978): {scan} scan of  (323 files) in progress...\nmaldet(36978): {scan} 323\/323 files scanned: 0 hits 0 cleaned\n\nmaldet(36978): {scan} scan completed on : files 323, malware hits 1, cleaned hits 0, time 23s\nmaldet(36978): {scan} scan report saved, to view run: maldet --report 220323-2145.36978\nmaldet(36978): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 220323-2145.36978\n<\/code><\/pre>\n\n\n\n<p>Reading the report;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo maldet --report 220323-2145.36978<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nHOST:      ubuntu2204\nSCAN ID:   220323-2145.36978\nSTARTED:   Mar 23 2022 21:45:47 +0300\nCOMPLETED: Mar 23 2022 21:46:10 +0300\nELAPSED:   23s [find: 0s]\n\nPATH:\nTOTAL FILES:   323\nTOTAL HITS:    1\nTOTAL CLEANED: 0\n\nWARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!\nTo enable, set quarantine_hits=1 and\/or to quarantine hits from this scan run:\n\/usr\/local\/sbin\/maldet -q 220323-2145.36978\n\nFILE HIT LIST:\n{HEX}EICAR.TEST.3 : \/tmp\/eicar_com.zip\n===============================================\nLinux Malware Detect v1.6.4 < proj@rfxn.com >\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure LMD to run as a Service<\/h3>\n\n\n\n<p>When installed, LMD creates a systemd service, maldet.service.<\/p>\n\n\n\n<p>By default, it is configured monitor paths defined by the variable, <strong><code>$default_monitor_mode<\/code><\/strong>;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/lib\/systemd\/system\/maldet.service<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n[Unit]\nDescription=Linux Malware Detect monitoring - maldet\nAfter=network.target\n\n[Service]\nEnvironmentFile=\/usr\/local\/maldetect\/conf.maldet\n<strong>ExecStart=\/usr\/local\/maldetect\/maldet --monitor $default_monitor_mode<\/strong>\nExecStop=\/usr\/local\/maldetect\/maldet --kill-monitor\nType=forking\nPIDFile=\/usr\/local\/maldetect\/tmp\/inotifywait.pid\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n\n\n\n<p>You need to define the path to the file that contains the default paths (new line seperated) to monitor in the colf.maldet.<\/p>\n\n\n\n<p>Take for example, to monitor <strong><code>\/home<\/code><\/strong> and <code>\/etc<\/code>;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e '\/home\\n\/etc' | sudo tee -a \/usr\/local\/maldetect\/monitor_paths<\/code><\/pre>\n\n\n\n<p>Next, the value of <strong>default_monitor_mode<\/strong> to above file path on <strong>conf.maldet<\/strong>. By default, it is set to <strong>users<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i '\/=\"users\"\/s\/^\/# \/;\/monitor_paths\/s\/^# \/\/' \/usr\/local\/maldetect\/conf.maldet<\/code><\/pre>\n\n\n\n<p>The Maldet service also requires, <code>inotify-tools<\/code>, which can be installed by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install inotify-tools -y<\/code><\/pre>\n\n\n\n<p>Reload Systemd configs and start and enable LMD to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now maldet<\/code><\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status maldet<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf maldet.service - Linux Malware Detect monitoring - maldet\n     Loaded: loaded (\/lib\/systemd\/system\/maldet.service; enabled; vendor preset: enabled)\n     Active: active (running) since Wed 2022-03-23 23:23:24 EAT; 4s ago\n    Process: 45479 ExecStart=\/usr\/local\/maldetect\/maldet --monitor $default_monitor_mode (code=exited, status=0\/SUCCESS)\n   Main PID: 45584 (inotifywait)\n      Tasks: 3 (limit: 2306)\n     Memory: 4.5M\n        CPU: 223ms\n     CGroup: \/system.slice\/maldet.service\n             \u251c\u250045584 \/usr\/bin\/inotifywait -r --fromfile \/usr\/local\/maldetect\/sess\/inotify.paths.45479 --exclude \"(^\/var\/tmp\/mysql.sock\\$|^\/tmp\/mysql.sock\\$|^\/var\/cache\/buagent\/md0.cache.dat>\n             \u251c\u250045597 bash \/usr\/local\/maldetect\/maldet --monitor \/usr\/local\/maldetect\/monitor_paths\n             \u2514\u250045604 sleep 15\n\nMar 23 23:23:22 ubuntu2204 maldet[45479]: Linux Malware Detect v1.6.4\nMar 23 23:23:22 ubuntu2204 maldet[45479]:             (C) 2002-2019, R-fx Networks <proj@rfxn.com>\nMar 23 23:23:22 ubuntu2204 maldet[45479]:             (C) 2019, Ryan MacDonald <ryan@rfxn.com>\nMar 23 23:23:22 ubuntu2204 maldet[45479]: This program may be freely redistributed under the terms of the GNU GPL v2\nMar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} added \/home to inotify monitoring array\nMar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} added \/etc to inotify monitoring array\nMar 23 23:23:22 ubuntu2204 maldet[45479]: maldet(45479): {mon} starting inotify process on 2 paths, this might take awhile...\nMar 23 23:23:24 ubuntu2204 maldet[45479]: maldet(45479): {mon} inotify startup successful (pid: 45584)\nMar 23 23:23:24 ubuntu2204 maldet[45479]: maldet(45479): {mon} inotify monitoring log: \/usr\/local\/maldetect\/logs\/inotify_log\nMar 23 23:23:24 ubuntu2204 systemd[1]: Started Linux Malware Detect monitoring - maldet.\n<\/code><\/pre>\n\n\n\n<p>Go through <a href=\"#help\">LMD help page<\/a> to see more command line options and how to use them.<\/p>\n\n\n\n<p>And that is it on how to install Linux Malware Detect on Ubuntu.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-clamav-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ClamAV on Ubuntu 22.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-nikto-web-scanner-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Nikto Web Scanner on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-nessus-scanner-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Nessus Scanner on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to install Linux Malware Detect on Ubuntu 22.04\/Ubuntu 20.04. Linux Malware Detect, LMD, is an opensource malware scanner<\/p>\n","protected":false},"author":1,"featured_media":11916,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34],"tags":[4727,4723,4724,4726,4725,4728,4730,4729],"class_list":["post-11906","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-security","tag-detect-malware-using-lmd","tag-install-lmd-ubuntu","tag-linux-malware-detect-ubuntu-linux","tag-lmd","tag-maldet","tag-maldet-monitored_paths","tag-maldet-service","tag-maldet-systemd-service","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11906"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11906"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11906\/revisions"}],"predecessor-version":[{"id":20434,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11906\/revisions\/20434"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11916"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}