Log file changes

[Kiekeboe100]

Hi,

I had a hacked wordpress installation today. But there really isn't anything I can do other then restore a backup from before the problem, and then update all plugins + wordpress itself.

Would it be possible to have a log with all files edited, and what process / file edited those files? This way we would be able to find which plug-in might be the cause.

Stijn

 

[Richard G]

Hoi Stijn.
Don't you have Maldetect running? If yes, did it not detect anything?

I believe RKhunder can do something like that. However since that will log all files it will generate a very huge logfile.
Maybe you can use an addon like Wordpress File Monitor Plus or WP Security Audit log or something like that?

 

[zEitEr]

Hello,

You can run

find /home/username/<user>/domains/<domain>/public_html -type -f -name \*.php -mtime -7

to find all *.php files in /home/username/<user>/domains/<domain>/public_html modified within the latest 7 days.

replace <user>, <domain> with your real names and change -7 to what you need.

 

[Kiekeboe100]

Richard,

Maldetect was not running, installed it now, and it found another file I missed.
Same with a wordpress security plug-in, also found some issues.

Alex,
I can only find the changed files in the last days with that command. But I won't know whether those files were created by php (the user / wordpress), ftp, ...
I doubt this is info that we can retrieve afterwards, which is why I am looking for something that can log all file changes in the public_html folders together with the process that changed that file.

I found this: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
I only quickly glanced over it, I will look at it further when I have some time again.

The particular wordpress site seems fixed for the moment, so it's not that big of an issues anymore.

regards,
Stijn