Photo
- - - - -

Shell script to monitor file changes


  • Please log in to reply
2 replies to this topic

#1 elmiller

elmiller

    Small Orange

  • Members
  • PipPip
  • 12 posts

Posted 06 March 2010 - 07:18 PM

Recently, a friend had his site hacked and his content was replaced with some pr0n. Since I run a site for a school, I'm extremely paranoid about getting hacked. I created a shell script to help me monitor changes to the files on my site. I run this as a cron job every half-hour in the hopes that if files are changed, I would be the first to find out. The script runs the find command then emails the results only when files are modified within a predetermined time. This also helps me monitor the files that my users uploading to WPMU.

I'm fairly new to shell scripting, so I'd appreciate someone else to take a look to see if there are any loopholes or ways to optimize the script. I'm also wondering if it is ok to run the cron job even more often. The command executes very quickly so it doesn't seem like it would overload the server.

#!/bin/bash

#This script finds files that have recently been modified and emails the results
#Version 1.3 (March 6, 2010 at 15:45)

#Directory to search
myDir=~/public_html

#Set frequency of command in minutes, this should match how often you run the cron job
myFrequency='-30'

#email address for mailing the results
myEmail=email@address.com

#Create datestamp for subject line
#This makes each subject line unique to prevent message collapsing in Gmail
myDate=`date +%y-%m-%d`
myTime=`date +%H:%M`

#Test if files have been edited
fileCount=`find $myDir -mmin $myFrequency -type f | wc -l`
if [ $fileCount -gt 0 ]
then
	#Write the subject line and set correct form of the word "files" (singular or plural)
	if [ $fileCount -eq 1 ]
	then
		mySubject="Attention! $fileCount File Modified on $myDate at $myTime"
	else
		mySubject="Attention! $fileCount Files Modified on $myDate at $myTime"
	fi
	
	#execute find command and email the results
	find $myDir -mmin $myFrequency -type f | mail -s "$mySubject" $myEmail
#else nothing happens
fi

  • 0

#2 IBBoard

IBBoard

    Massive Orange

  • Volunteer Moderators
  • PipPipPipPipPipPipPip
  • 4,939 posts

Posted 07 March 2010 - 08:30 AM

For anyone who wants to hack your site properly, there are two very obvious loop-holes:

1) Disable the script or replace "mail" so that you don't get notified
2) "touch -d [timestamp string]" lets files be modified before being set to a date more than 30 minutes ago

That assumes that someone is putting some real effort in and targetting your site, though, rather than just doing simple "script kiddy" attacks on known vulnerabilities of scripts.

In terms of general operation, there's only two very minor flaws that I can see:

1) An "every 30 mins" cron job isn't guaranteed to run exactly every 30 mins, so there's always the potential for it to have a tiny gap that doesn't get checked (although the chances of a modification during that time are somewhat slim)
2) You'll get emailed any time you make your own modifications, but I guess false-positives are better than false-negatives.

Just a couple of optimisations I can see:

1) You run the "find" twice, having piped it through "wc" the first time. Why not just run it once, put the list in a variable and then echo that variable to "wc" and "mail"?
2) You're using "myFrequency" to determine how far back to check. Why not use "-newer .file-mod-check" and "touch .file-mod-check" to compare against a file and then update the modified time of the file on each run? It'll solve "minor flaw 1" if you do it that way :)

Hope that helps
  • 0
The more information you provide, the better answer the community can give.

*** Sign up at ASO with a 15% discount (coupon: saveme15%) or $5 discount (coupon: saveme$5) ***
(Valid on shared hosting and VPS)

#3 [ASO] Frank

[ASO] Frank
  • Guests

Posted 08 March 2010 - 07:59 AM

You can do this with one line of code with "diff". Just need to create a backup of all your files. Most of the hacks that are happening these days are PHP or javascript injections, so they aren't going to bother files they cannot access via the web. The advantage of doing it this way is you can see exactly what the changes were, and ignore them if you'd like. Heck, you could even setup an email pipe script so if you reply to the email with "IGNORE" it will automatically copy all the files from public_html into web_backup.

1) Create a backup of all your web files in /home/username/web_backup
2) Create a script to run the following command periodically:
diff -rU3 /home/username/public_html /home/username/web_backup | mail -s "File Changes" username@domain.com

To further advance this, you could always publish any changes to your site into the "web_backup" directory, and have it automatically copy the changes over. Obviously this wont be the ideal solution for dynamic sites with automatic uploading, such as Wordpress.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users