Recommendations for File Change Monitoring Software?

I've 2 small scripts running on a daily basis to check not only if files have been changed but also if they have been uploaded by a valid user or not. Maybe you can use/modify them for your own needs?

Ok, I know this can be done a little more efficient, but I was in hurry when doing it and never looked at it again... sorry :)

The first makes an md5 checksum of every .html, .js and .php in the /home/ directory and below. Compiles a list of valid ftp users and a list of ftp access from the logfiles.
The second checks the changes files against the ftp users file and prints a message if a file isn't uploaded by the correct user.

For me (on that specific server) this is sufficient, but it does fire when someone runs a webbased install somewhere as these files are not uploaded by ftp. Actually it is intended to fire then ;)

If you want to check all files on your server, simple change the 'find' in the first script to something like:

find / | xargs md5sum > md5.dat.today

but, this will yield a lot of changes.
Put it in the cron and you're done.

Code: 
#!/bin/bash

#run this first
cd /var/test

mv md5.dat.today md5.dat.yesterday
find /home -iname "*.htm*"|grep -v '/stats/'|grep -v '/awstats/'| sed 's/ /\\ /g' | xargs md5sum > md5.dat.today
find /home -iname "*.php*"|grep -v '/stats/'|grep -v '/awstats/'| sed 's/ /\\ /g' | xargs md5sum >> md5.dat.today
find /home -iname "*.js"|grep -v '/stats/'|grep -v '/awstats/'| sed 's/ /\\ /g' | xargs md5sum >> md5.dat.today
diff md5.dat.today md5.dat.yesterday|grep "<" > changed_today.dat
cat /etc/proftpd.passwd | gawk -F ":" '{print $1, $6}' > ftpusers.dat
cat /var/log/proftpd/access.log /var/log/proftpd/access.log.1 |grep 'STOR '|grep -v '\.tmp' | awk '{print $3, $7}'| cut -d '"' -f1 > uploaded_files.dat
cat /var/log/proftpd/access.log /var/log/proftpd/access.log.1 |grep 'RNTO '|grep -v '\.tmp' | awk '{print $3, $7}'| cut -d '"' -f1 >> uploaded_files.dat

Code: 
#!/bin/sh

#run this when the first has completed (or just put them together in one script).
cd /var/test
while read dummy md5 filename
do
  USER=`echo $filename | gawk -F "/" '{print $2 "/" $3}'`
  ISVALID="no"
  while read usr homedir
  do
    if [[ "$filename" == ${homedir}* ]]
    then
      BASEFILE=`basename ${filename}`
      # find user and file in uploaded files
      FOUND=`cat uploaded_files.dat | grep "${usr} ${BASEFILE}"`
      if [ "${FOUND}" == "" ]
      then
        DUM='yes'
      else
        ISVALID="yes"
      fi
    fi
  done < "ftpusers.dat"
  if [ "${ISVALID}" == "yes" ]
  then
    DUM='yes'
#    echo "### VALID UPLOAD: ${usr} uploaded file: $filename"
  else
    echo "### WARNING!!! FILE: ${filename} has not been uploaded by a valid user using FTP"
  fi
done < "changed_today.dat"
 
If you place it in the cron the root user get's the mail, so if you add an root: [email protected] in the /etc/aliases file, you'll get all root mail right in your mailbox ;)
 
This is a very nice script, but how can you filter files which are updated by scripts themselves?
For example, if somebody upgrades their script (forum, joomla or wordpress etc.) via the admin webinterface, this will spew hundreds of warnings just for 1 script, like this:
Code: 
### WARNING!!! FILE: /home/user/domains/domain.org/public_html/home2/wp-content/themes/irresistible/single.php has not been uploaded by a valid user using FTP
### WARNING!!! FILE: /home/user/domains/domain.org/public_html/home2/wp-content/themes/irresistible/comments-legacy.php has not been uploaded by a valid user using FTP
And this for every updated file. It's already dozens of warnings only for 1 theme.

You already said this in your initial message. But is there a way to prevent this?
 
Well, you can't as it's intention is to do just that (warn about stuff that's not uploaded through ftp). If someone uses a rogue script to download a php shell, you'd want to know that, right?

What you can do is run clamav / linux malware detection on the changed files list, but you might be missing custom shells that aren't detected by those scanners. (And that's the main reason why I made it).
 
You're correct, I'd want to know about malicious changes not uploaded by FTP.
Pity, probably we won't be able to use it because this will give me thousends of changes when scripts are upgraded, text in html files are editted through webinterfaces etc., new images in pages etc. and mostly only things uploaded through ftp are new websites and images.

So for the time being we will only keep using clamav and maldet which already were running next to rkhunter and stuff.
But this is a very nice thing to use for some other purposes, like a vps with a couple of website etc. so thank you anyway for sharing!
 
True, it's not very usefull if you have a lot of scripts updating stuff, but then again, that's how crapware often get's inserted in websites.
Sadly there is no easy way to be 100% sure that e.g. a WordPress theme is legit, so ignoring wp/joomla is not a clever solution.

I use it on shared hosting for business sites. Those sites don't tend to change on a daily basis, so I use it to just keep an eye on things. You'll get used to the mails after a while and it's possible to 'scan' for abnomalies pretty fast.

Good luck, hope you do find some use for it :)

Greetings,

John
 
I know Any employee monitoring has a function like this. It will alert you when any file was changed, copied or deleted. If you use a software in your company, you can set; if you don't, please use code above.
 
You must log in or register to reply here.
Back
Top