Tag Archives: monitoring

Monitoring files change with PHP

This article is about monitoring all files change on a regular basis with a little PHP script and it follow the malicious code removal article but it can be useful for a huge number of things even if the usage of PHP may limit its applications.

Monitoring files change is a good way to catch any kind of PHP infections before it is too late and be aware of anything suspicious happening on your files, this article is not only about PHP infections even if the script was made to prevent them, the solution presented here can be used for many other things… not only for PHP files, it is quite generic.

A way of doing it on Unix systems is to make use of the “find” and any hashes generator like “md5sum” like so :

find . -type f -exec md5sum  {} \; > md5sums_list
md5sum -c md5sum_list

Combined with some kind of storage to store the hashes, this is a fast and very simple way of checking if files differ (it can also be done easily in PHP) and know which files has been changed but if you want to see actual changes, you will need a more advanced method.

There is pretty good softwares which are doing that already and in much better way (like auditd) but i wanted a simple cross-platform solution to be aware of any files modification to prevent infections before everything is screwed… this is actually what is under the hood of popular protection plugins for WordPress like Wordfence, you could create a similar plugin quite easily if you dump the data into a database.

The PHP script presented here scan recursively all files which are in a specified directory on a regular basis and log the files which were modified between two scan along with their content (can be very memory hungry so it is restricted based on the file size) and content difference (thank to the finediff library), it is very fast because it only check for differences in filesize and it is able to do logs rotation, i set it to run as a cron job every hours on a server and it work like a charm.

But an issue show up rapidly… how do you make sens of the vast amount of log produced?

This is where the web log viewer kick in, this is a rather simple app. made with the DataTables library, just a file input field to be able to load the log file and a table but this is enough to quickly see what is going on with your files for each scans and you can even see rapidly the differences thank to the HTML render of the finediff library when you click on the file row.

PHP files monitoring logs web viewerlive version

Now, to start monitor your files, you have to call files_monitor.php

But before you likely have to configure it for your usage :

  • Change $target_directory value by the directory you want to monitor (all .php files in this directory will be monitored)
  • Change $log_directory value by the directory you want to store produced log files
  • Change $filesize_content_to_log_limit value by the amount of bytes you want, all files under or equal that size will have their content and the content diff. logged (i use 50000 for 50kb which may be enough for .php files)
  • Change $log_rotation_filesize value by the amount of bytes you want for the log rotation to kick in (like 10000000 for 10mb)

Idea : Could be fun to add a pretty report by mail or message, if you have any suggestions, please share it.

Idea : Could be very fun to serve the log data in real-time to the viewer.

Note : If you want to monitor other kind of files than .php files you have to change the conditional at line 67 or extend it or remove it if you want to log every files.

Note : Due to the use of the file_get_contents function and many other things, the script may get very memory hungry for very large files and it may get very resources hungry as well if you log diff content (although this can be tweaked by changing the way the diff is produced, right now it is word based) and content of large files.

Disclaimer : I take no responsibility for any loss or damage suffered as a result of using the scripts presented here.

Download :
php_files_monitor.tar
php_files_monitor_viewer.tar

 

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...