Detecting file changes on a web server
Hello, dear readers!
The picture briefly and allegorically conveys the meaning of the script described in the post:
I have several sites on which at some point began to appear malicious code that looks like separate php-files or additional lines with long eval () in existing files.
')
After changing all the passwords, updating the CMS to the latest versions and other measures to increase the resilience of sites from intruders, such cases have become rare, but they have not stopped.
Then I wondered how I could find out so quickly, where would the code be once again implemented so that I could beat him right there?
I heard that there are ready-made serious solutions for this, but I wanted:
As a result, for several hours during a week I wrote a checker, who without hesitation called Simple File Integrity Checker (SFIC).
Is he:
It can be launched via CRON (it runs every 15 minutes on every site) or opened in a browser.
If changes are detected, the lists of added, deleted, and modified files are listed separately. The changed files indicate how the date and file size changed.
This is quite enough to understand what happened approximately.
Laid out the project on githabe .
The code is designed so-so. In the future I will try to make it more friendly.
However, since he has been working stably for a year now, I decided to stop using it as one person and share it with the public.
Thanks for attention!
Update : the topic is relevant not only for me, because In the comments there was a more developed solution to the same issue (but not yet available to the public).
Addition 2 : in the comments, SANTI was put on the web antivirus, which, besides checking the integrity of files, does much more.
The picture briefly and allegorically conveys the meaning of the script described in the post:
I have several sites on which at some point began to appear malicious code that looks like separate php-files or additional lines with long eval () in existing files.
')
After changing all the passwords, updating the CMS to the latest versions and other measures to increase the resilience of sites from intruders, such cases have become rare, but they have not stopped.
Then I wondered how I could find out so quickly, where would the code be once again implemented so that I could beat him right there?
I heard that there are ready-made serious solutions for this, but I wanted:
- Simple and quick to set up and work.
- Samopisnogo to pump my programmer skill a little.
As a result, for several hours during a week I wrote a checker, who without hesitation called Simple File Integrity Checker (SFIC).
Is he:
- simple to the minimum necessary;
- works with the file system from the specified path and deeper;
- checks whether files have changed since the previous scan. If changed - sends a notification by mail;
- allows you to set exceptions (which change is not considered an intrusion on the site) in the form of file names, file extensions and directory names;
- can check files by size and date of change or content.
It can be launched via CRON (it runs every 15 minutes on every site) or opened in a browser.
If changes are detected, the lists of added, deleted, and modified files are listed separately. The changed files indicate how the date and file size changed.
This is quite enough to understand what happened approximately.
Laid out the project on githabe .
The code is designed so-so. In the future I will try to make it more friendly.
However, since he has been working stably for a year now, I decided to stop using it as one person and share it with the public.
Thanks for attention!
Update : the topic is relevant not only for me, because In the comments there was a more developed solution to the same issue (but not yet available to the public).
Addition 2 : in the comments, SANTI was put on the web antivirus, which, besides checking the integrity of files, does much more.
Source: https://habr.com/ru/post/213895/
All Articles