Archive for July, 2021


File Monitoring Bash Script

I wrote a very simple bash script to check and report on any php file changes in the past 24 hours, and run a simple check for any suspicious files.  It doesn’t require any software to be installed so it can be used on shared hosting with limited shell access.

It simply uses `find` to check if any php files have been changed, and report back if they have.  And uses fenrir to check for suspicious files.  Fenrir is a simple IOC scanner that checks files for specific patterns that may indicate that those files have been compromised.

The actual script is as follows, you’ll just need to swap the folders and email with the actual file locations and email

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash
 
#check for changed files
CHANGED=$(find /websitedirectory/* -name "*.php" -type f -ctime -1 | head -50)
 
if [[ ${CHANGED} == '' ]]; then
  echo "nothing has changed"
else
  echo "files changed"
  mail -s "Website files changed" your@email.com <<< "file has been changed: ${CHANGED}"
fi
 
#run fenrir
(cd /file_location/fenrir; ./fenrir.sh /websitedirectory/) &
sleep 20m
 
SYSTEM_NAME=$(uname -n | tr -d "\n")
TS_CONDENSED=$(date +%Y%m%d)
 
MATCHES=$(grep "match" /file_location/fenrir/FENRIR_${SYSTEM_NAME}_${TS_CONDENSED}.log)
 
if [[ ${MATCHES} == '' ]]; then
  echo "fennrir found nothing"
else
  echo "fenrir found bad files"
  mail -s "Fenrir found suspicious files" your@email.com <<< "Fenrir found suspicious files: ${MATCHES}"
fi

After you’ve modified the script as necessary and created the file you can set it to run daily by adding this into your crontab

1
0 0 * * * /file_location/site_monitor

Permalink » No comments