Results 1 to 15 of 15
  1. #1
    Join Date
    Feb 2004
    Posts
    1,269

    program to detect suspicious files on server

    Hello

    Here is a script I've done for my hosting company, and that may be useful for many webhosting companies.

    How it basically works:
    1) you configure the home directory of your users
    2) you configure which "mask" is considered suspicious on file names (the attached program comes with a sample configuration). It can depend on file size too.

    Explaining it:

    my %suspects = (
    '\.mp\d$' => 100000,
    '\.mpe?g$' => 100000,
    'child' => 5000,
    'hack' => 0
    );

    the first one checks for files that ends in ".mp\d", where \d is a number from 0-9... so it searchs for .mp1, .mp2, mp3, etc. and have at least 100000 bytes

    the second search for files that ends in ".mpg" or ".mpeg" and have at least 100000 bytes

    the third search for files that contain the sequence of letters "child" any where and are 5000 bytes or more

    the forth search for files that contain the sequence of letters "hack" of any size

    (REMEMBER TO DO NOT PUT A "," AFTER THE LAST ITEM!)

    So it's basically self-explanatory.
    As some may have noticed, this program uses Perl regular expressions for finding patterns. If you don't know how to use them, you may just put sequence of letters to be found. Also, for meaning a ".", you need to put "\."
    To say the filename must END with the pattern, put a "$" as last char. To say the filename must BEGIN with the pattern, put a "^" as first char.

    If you wanna learn some regular expressions, I recommend:
    http://www.perldoc.com/perl5.8.0/pod/perlrequick.html

    The program will E-Mail you a list of all files containing one or more patterns you configured.
    And the most important: it will save the suspicious files in a database in order to:
    1) don't send the same file every time (so you just need to check a few files if you run it every day)
    2) tell you when some of the files has been DELETED

    How to install the program in /usr/local/checksuspects:
    1) login as root
    2) cd /usr/local
    3) mkdir checksuspects
    4) cd checksuspects
    5) [put checksuspects.pl file in this directory]
    6) chmod 700 checksuspects.pl
    7) recommended: after configuring the program, run it once to make the "first database" (since it's empty, it will be much bigger than the next ones, that will only contain changes)

    Here's how I run this program on crontab (set it typing "crontab -e" logged as root):
    0 5 * * * /usr/bin/checksuspects/checksuspects.pl
    (every day at 5am - don't put a peak hour, the program need resources to check files)

    This program is freeware, although a donation is appreciated if you like the program. My paypal address is tdthp *at* terra.com.br

    <<Removed attachment>>
    Last edited by anon-e-mouse; 04-18-2004 at 05:07 AM.
      0 Not allowed!

  2. #2
    Join Date
    Nov 2003
    Location
    Orange County, CA
    Posts
    1,181
    Thank you very much for sharing this, I will definitely give it a shot!
    DreamHost Web Hosting
    Shared and VPS hosting + dedicated servers and colocation.
    ... and we're green, too!
    Hosting your dreams since 1997.
      0 Not allowed!

  3. #3
    Very interesting script, as miakeru said, thanks for sharing this !
      0 Not allowed!

  4. #4
    Join Date
    Nov 2001
    Posts
    551
    neat idea

    I would add (I know I could do it for myself but might be better for the group if listed here)

    rar files over $x size
    avi files over $x size
    divx and xvid in the file names
    crack

    I'm sure I'm missing some.
      0 Not allowed!

  5. #5
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by ambirex
    neat idea

    I would add (I know I could do it for myself but might be better for the group if listed here)

    rar files over $x size
    avi files over $x size
    divx and xvid in the file names
    crack

    I'm sure I'm missing some.
    "rar" and "crack" are already setted on the script (my post just showed 3 of them as example)

    BTW, avi, divx and xvid are a nice idea
    i'm adding them to mine too
      0 Not allowed!

  6. #6
    Join Date
    Oct 2003
    Location
    NY
    Posts
    180
    good work, thanks
      0 Not allowed!

  7. #7
    good work, i'll be using this for my new server
    John Heslop
      0 Not allowed!

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    another thing is this alot of time warez comes in packages such as


    .r01
    .r02
    .r03

    etc with out a .rar file, while it being a winrar archive
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  9. #9
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by thelinuxguy
    another thing is this alot of time warez comes in packages such as


    .r01
    .r02
    .r03

    etc with out a .rar file, while it being a winrar archive
    good suggestion

    so I recommend adding this to the list:

    '\.r\d\d$' => 100000,
      0 Not allowed!

  10. #10
    Join Date
    Jul 2003
    Location
    UK
    Posts
    1,887
    Looks good, might have to play with it sometime.

    Thanks!
      0 Not allowed!

  11. #11
    Join Date
    Feb 2004
    Posts
    1,269
    since locate's database is updated daily by default, it would probably be a good idea to use it to speed up the script (and consume less resources too)

    locate also accepts regular expressions too...

    i don't have the time to do it now, but the suggestion is there if someone wants to do
      0 Not allowed!

  12. #12
    Join Date
    Sep 2002
    Location
    Western Canada
    Posts
    1,889
    Another one that some people may be interested in is 'formmail' for those of you who disallow the use of such scripts.
      0 Not allowed!

  13. #13
    Join Date
    Apr 2003
    Location
    Ottawa
    Posts
    959
    Originally posted by Lem0nHead
    since locate's database is updated daily by default
    Ummm , normally not by default , although it can be setup that way.
    All of the installations that I have seen (and remember) dont have any updatedb schedualed by default.
      0 Not allowed!

  14. #14
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by demonmoo
    Ummm , normally not by default , although it can be setup that way.
    All of the installations that I have seen (and remember) dont have any updatedb schedualed by default.
    i've a cpanel server with RHE on server matrix and it came with updatedb daily by default
      0 Not allowed!

  15. #15
    Join Date
    Jan 2004
    Location
    USA
    Posts
    109
    Nice little script. Very usefull.
    HOST CAPACITY || www.hostcapacity.com || SALES: cs @ hostcapacity.com || MSN: msn @ hostcapacity.com
    Shared Hosting || Multi Domain Hosting || Private Label Reseller Hosting
    Pay Pal Accepted || 99% Uptime || Hosting Since 2002
    Support and Customer Service that really care about our clients || It's the Service that counts.
      0 Not allowed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •