Recursively monitor all changes in given directory
Recently my server was hacked and I found at least three different mallwares on more than 15 sites. A lot of folders and files were created in every site. Sometimes I delete them and they appear again. As for now, I think I cleaned everything, but I would like to have a tool to prevent such cases in future.
Is there an easy way to setup some script that will log all file changes within a day and send me that log on my email? Unfortunately I'm not good in shell scripting and server management. I found several solutions, but no step by step tutorials on this matter.
Basically I would like to find a script that will log all file changes in a given directory with daily log rotation and possibility to ignore some of the files and folders. Another script can be added to cron and send me the daily log if it has anything in it.
Can someone point me to such solution or help creating it? What are you using to find malicious files on your server?
The intrusion was made through WordPress and all files were created by www-data user, so it cam from php and I was hoping that I could find all those files comparing them with backups.
I created this kind of script yesterday, not sure how heavy is that for the system, but it shows all the files that were changed:
#!/bin/bash inotifywait --exclude "(logs\/)|(configCache.php)|(cache_stats.php)|(sitemap.xml)" -e modify,attrib,delete,create -m -r /home/ --timefmt %d-%m-%Y-%H:%M:%S --format '%T: %e %w%f' >> /filechangelog/$(date +"%Y%m%d")_filechangelog.txt
Anyway, to answer your question, what you're looking for is known as an intrusion detection system (IDS). There are tons of them out there, but one of the simplest is Tripwire:
Here's a tutorial on how to use it: