Recursively monitor all changes in given directory

Hello everyone!

Recently my server was hacked and I found at least three different mallwares on more than 15 sites. A lot of folders and files were created in every site. Sometimes I delete them and they appear again. As for now, I think I cleaned everything, but I would like to have a tool to prevent such cases in future.

Is there an easy way to setup some script that will log all file changes within a day and send me that log on my email? Unfortunately I'm not good in shell scripting and server management. I found several solutions, but no step by step tutorials on this matter.

Basically I would like to find a script that will log all file changes in a given directory with daily log rotation and possibility to ignore some of the files and folders. Another script can be added to cron and send me the daily log if it has anything in it.

Can someone point me to such solution or help creating it? What are you using to find malicious files on your server?

Thanks!

2 Replies

Thanks, I will try tripwire. I heard it's quite resource demanding though.

The intrusion was made through WordPress and all files were created by www-data user, so it cam from php and I was hoping that I could find all those files comparing them with backups.

I created this kind of script yesterday, not sure how heavy is that for the system, but it shows all the files that were changed:

#!/bin/bash
inotifywait --exclude "(logs\/)|(configCache.php)|(cache_stats.php)|(sitemap.xml)" -e modify,attrib,delete,create -m -r /home/ --timefmt %d-%m-%Y-%H:%M:%S --format '%T: %e %w%f' >> /filechangelog/$(date +"%Y%m%d")_filechangelog.txt

If you get hacked, you're not going to be safe by just deleting the files/folders you don't recognized. The hacker could've installed a rootkit, some of which are virtually undetectable. The only safe response to an intrusion is to shut down the server, provision a replacement using your backups, and (once the replacement is up) do forensic analysis on the old server so you can determine why the intruder got in. If that sounds like a lot of work to you, then you should invest some time on tools to make it easier. For example, I use Puppet, which lets me provision fully-functional replacements for the servers I administer in under 30 minutes.

Anyway, to answer your question, what you're looking for is known as an intrusion detection system (IDS). There are tons of them out there, but one of the simplest is Tripwire: http://sourceforge.net/projects/tripwire/

Here's a tutorial on how to use it: https://www.digitalocean.com/community/ … ubuntu-vps">https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct