Results 1 to 15 of 15
-
04-16-2004, 04:34 PM #1Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
program to detect suspicious files on server
Hello
Here is a script I've done for my hosting company, and that may be useful for many webhosting companies.
How it basically works:
1) you configure the home directory of your users
2) you configure which "mask" is considered suspicious on file names (the attached program comes with a sample configuration). It can depend on file size too.
Explaining it:
my %suspects = (
'\.mp\d$' => 100000,
'\.mpe?g$' => 100000,
'child' => 5000,
'hack' => 0
);
the first one checks for files that ends in ".mp\d", where \d is a number from 0-9... so it searchs for .mp1, .mp2, mp3, etc. and have at least 100000 bytes
the second search for files that ends in ".mpg" or ".mpeg" and have at least 100000 bytes
the third search for files that contain the sequence of letters "child" any where and are 5000 bytes or more
the forth search for files that contain the sequence of letters "hack" of any size
(REMEMBER TO DO NOT PUT A "," AFTER THE LAST ITEM!)
So it's basically self-explanatory.
As some may have noticed, this program uses Perl regular expressions for finding patterns. If you don't know how to use them, you may just put sequence of letters to be found. Also, for meaning a ".", you need to put "\."
To say the filename must END with the pattern, put a "$" as last char. To say the filename must BEGIN with the pattern, put a "^" as first char.
If you wanna learn some regular expressions, I recommend:
http://www.perldoc.com/perl5.8.0/pod/perlrequick.html
The program will E-Mail you a list of all files containing one or more patterns you configured.
And the most important: it will save the suspicious files in a database in order to:
1) don't send the same file every time (so you just need to check a few files if you run it every day)
2) tell you when some of the files has been DELETED
How to install the program in /usr/local/checksuspects:
1) login as root
2) cd /usr/local
3) mkdir checksuspects
4) cd checksuspects
5) [put checksuspects.pl file in this directory]
6) chmod 700 checksuspects.pl
7) recommended: after configuring the program, run it once to make the "first database" (since it's empty, it will be much bigger than the next ones, that will only contain changes)
Here's how I run this program on crontab (set it typing "crontab -e" logged as root):
0 5 * * * /usr/bin/checksuspects/checksuspects.pl
(every day at 5am - don't put a peak hour, the program need resources to check files)
This program is freeware, although a donation is appreciated if you like the program. My paypal address is tdthp *at* terra.com.br
<<Removed attachment>>Last edited by anon-e-mouse; 04-18-2004 at 05:07 AM.
0
-
04-16-2004, 04:39 PM #2I'm good with computers.
- Join Date
- Nov 2003
- Location
- Orange County, CA
- Posts
- 1,181
Thank you very much for sharing this, I will definitely give it a shot!
█ DreamHost Web Hosting
█ Shared and VPS hosting + dedicated servers and colocation.
█ ... and we're green, too!
█ Hosting your dreams since 1997.0
-
04-16-2004, 04:44 PM #3Web Hosting Evangelist
- Join Date
- Jul 2002
- Posts
- 500
Very interesting script, as miakeru said, thanks for sharing this !
0
-
04-16-2004, 05:23 PM #4Web Hosting Master
- Join Date
- Nov 2001
- Posts
- 551
neat idea
I would add (I know I could do it for myself but might be better for the group if listed here)
rar files over $x size
avi files over $x size
divx and xvid in the file names
crack
I'm sure I'm missing some.0
-
04-16-2004, 05:29 PM #5Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by ambirex
neat idea
I would add (I know I could do it for myself but might be better for the group if listed here)
rar files over $x size
avi files over $x size
divx and xvid in the file names
crack
I'm sure I'm missing some.
BTW, avi, divx and xvid are a nice idea
i'm adding them to mine too0
-
04-16-2004, 08:15 PM #6Junior Guru
- Join Date
- Oct 2003
- Location
- NY
- Posts
- 180
good work, thanks
0
-
04-16-2004, 08:29 PM #7Web Hosting Master
- Join Date
- Jan 2004
- Posts
- 744
good work, i'll be using this for my new server
John Heslop0
-
04-16-2004, 09:12 PM #8Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
another thing is this alot of time warez comes in packages such as
.r01
.r02
.r03
etc with out a .rar file, while it being a winrar archiveSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
04-16-2004, 10:10 PM #9Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by thelinuxguy
another thing is this alot of time warez comes in packages such as
.r01
.r02
.r03
etc with out a .rar file, while it being a winrar archive
so I recommend adding this to the list:
'\.r\d\d$' => 100000,0
-
04-16-2004, 10:44 PM #10Tells All!
- Join Date
- Jul 2003
- Location
- UK
- Posts
- 1,887
Looks good, might have to play with it sometime.
Thanks!0
-
04-17-2004, 12:24 AM #11Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
since locate's database is updated daily by default, it would probably be a good idea to use it to speed up the script (and consume less resources too)
locate also accepts regular expressions too...
i don't have the time to do it now, but the suggestion is there if someone wants to do0
-
04-17-2004, 02:02 AM #12Web Hosting Master
- Join Date
- Sep 2002
- Location
- Western Canada
- Posts
- 1,889
Another one that some people may be interested in is 'formmail' for those of you who disallow the use of such scripts.
0
-
04-17-2004, 07:01 PM #13Web Hosting Master
- Join Date
- Apr 2003
- Location
- Ottawa
- Posts
- 959
Originally posted by Lem0nHead
since locate's database is updated daily by default
All of the installations that I have seen (and remember) dont have any updatedb schedualed by default.0
-
04-17-2004, 07:42 PM #14Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by demonmoo
Ummm , normally not by default , although it can be setup that way.
All of the installations that I have seen (and remember) dont have any updatedb schedualed by default.0
-
04-17-2004, 07:42 PM #15WHT Addict
- Join Date
- Jan 2004
- Location
- USA
- Posts
- 109
Nice little script. Very usefull.
█ █ HOST CAPACITY || www.hostcapacity.com || SALES: cs @ hostcapacity.com || MSN: msn @ hostcapacity.com
█ █ Shared Hosting || Multi Domain Hosting || Private Label Reseller Hosting
█ █ Pay Pal Accepted || 99% Uptime || Hosting Since 2002
█ █ Support and Customer Service that really care about our clients || It's the Service that counts.0