Here is a script I've done for my hosting company, and that may be useful for many webhosting companies.
How it basically works:
1) you configure the home directory of your users
2) you configure which "mask" is considered suspicious on file names (the attached program comes with a sample configuration). It can depend on file size too.
the first one checks for files that ends in ".mp\d", where \d is a number from 0-9... so it searchs for .mp1, .mp2, mp3, etc. and have at least 100000 bytes
the second search for files that ends in ".mpg" or ".mpeg" and have at least 100000 bytes
the third search for files that contain the sequence of letters "child" any where and are 5000 bytes or more
the forth search for files that contain the sequence of letters "hack" of any size
(REMEMBER TO DO NOT PUT A "," AFTER THE LAST ITEM!)
So it's basically self-explanatory.
As some may have noticed, this program uses Perl regular expressions for finding patterns. If you don't know how to use them, you may just put sequence of letters to be found. Also, for meaning a ".", you need to put "\."
To say the filename must END with the pattern, put a "$" as last char. To say the filename must BEGIN with the pattern, put a "^" as first char.
The program will E-Mail you a list of all files containing one or more patterns you configured.
And the most important: it will save the suspicious files in a database in order to:
1) don't send the same file every time (so you just need to check a few files if you run it every day)
2) tell you when some of the files has been DELETED
How to install the program in /usr/local/checksuspects:
1) login as root
2) cd /usr/local
3) mkdir checksuspects
4) cd checksuspects
5) [put checksuspects.pl file in this directory]
6) chmod 700 checksuspects.pl
7) recommended: after configuring the program, run it once to make the "first database" (since it's empty, it will be much bigger than the next ones, that will only contain changes)
Here's how I run this program on crontab (set it typing "crontab -e" logged as root):
0 5 * * * /usr/bin/checksuspects/checksuspects.pl
(every day at 5am - don't put a peak hour, the program need resources to check files)
This program is freeware, although a donation is appreciated if you like the program. My paypal address is tdthp *at* terra.com.br
Last edited by anon-e-mouse; 04-18-2004 at 05:07 AM.
█ █ HOSTCAPACITY||www.hostcapacity.com|| SALES: cs @ hostcapacity.com ||MSN: msn @ hostcapacity.com
█ █ Shared Hosting || Multi Domain Hosting || Private Label Reseller Hosting
█ █ Pay Pal Accepted || 99% Uptime || Hosting Since 2002
█ █ Support and Customer Service that really care about our clients || It's the Service that counts.