February 25, 2014 at 23:51Detecting changes to files on a web server
Hello dear readers!
A picture that briefly and allegorically conveys the meaning of the script described in the post:
I have several sites on which at some point malicious code began to appear, looking like separate php files or additional lines with long eval () in existing files.
After changing all passwords, updating CMS to the latest versions and other measures to increase the stability of sites from attackers, such cases became rare, but did not stop.
Then I thought, how would I find out so quickly where the code will be embedded once again so that I can immediately beat it?
I heard that there are ready-made serious solutions for this, but I wanted to:
As a result, for several hours within ~ a week I wrote a tester who without hesitation called Simple File Integrity Checker (SFIC).
Is he:
It can be launched using CRON (it runs every 15 minutes on every site) or opened in a browser.
If changes are found, then separately lists the added, deleted and modified files. Modified files indicate how the date and file size have changed.
This is quite enough to randomly understand what happened approximately.
I posted the project on a github .
The code is so-so. In the future I will try to make it more friendly.
However, since it has been working steadily for a year, I decided to stop using it in one person and share it with the public.
Thanks for attention!
Addition : the topic is relevant not only for me, because in the comments founda more elaborate solution to the same issue (but so far inaccessible to the public).
Addendum 2 : in the comments they pointed to the SANTI web antivirus , which, in addition to checking the integrity of files, does a lot more.
A picture that briefly and allegorically conveys the meaning of the script described in the post:
I have several sites on which at some point malicious code began to appear, looking like separate php files or additional lines with long eval () in existing files.
After changing all passwords, updating CMS to the latest versions and other measures to increase the stability of sites from attackers, such cases became rare, but did not stop.
Then I thought, how would I find out so quickly where the code will be embedded once again so that I can immediately beat it?
I heard that there are ready-made serious solutions for this, but I wanted to:
- Simple and quick to set up and operate.
- Self-written to pump my programming skill a little.
As a result, for several hours within ~ a week I wrote a tester who without hesitation called Simple File Integrity Checker (SFIC).
Is he:
- simple to the required minimum;
- works with the file system from the specified path and deeper;
- checks if the files have changed since the previous scan. If changed - sends a notification by mail;
- allows you to set exceptions (the change of which is not considered an invasion of the site) in the form of file names, file extensions and directory names;
- can check files by size and date of change or content.
It can be launched using CRON (it runs every 15 minutes on every site) or opened in a browser.
If changes are found, then separately lists the added, deleted and modified files. Modified files indicate how the date and file size have changed.
This is quite enough to randomly understand what happened approximately.
I posted the project on a github .
The code is so-so. In the future I will try to make it more friendly.
However, since it has been working steadily for a year, I decided to stop using it in one person and share it with the public.
Thanks for attention!
Addition : the topic is relevant not only for me, because in the comments founda more elaborate solution to the same issue (but so far inaccessible to the public).
Addendum 2 : in the comments they pointed to the SANTI web antivirus , which, in addition to checking the integrity of files, does a lot more.