Script Hat

Here is a script I set up the other day to monitor for files being altered. If there is a change ever so slight md5 hashes are one of the best methods to detect it. This script stores a list of md5 hashes for the files requested ( using the -c ) option and will check against it (using the -s option) for changes, if there is a change it will send an email to alert whoever you want. Here is the script…

#!/usr/bin/perl
use strict;
use warnings;
die "Usage: You must enter an option of -c for create or -s for scan" unless defined$ARGV[0];
die "Usage: -c create md5file -s scan for changes." unless $ARGV[0] =~ "-c|-s";
my @files1 = `find /somewebdirectory/*.php`;
my @files2 = `find /someotherwebdirectory/*.php -maxdepth 1`;
my @files3 = `find /yetanotherdirectory/*.txt`;
my @files = (@files1, @files2, @files3);
my $sysname = `/bin/uname -n`;
chomp $sysname;
my $email = 'youremail@yoursite.com';
my $files;
my @stored;
my $stored = "/fullpathto/stored_md5s";           # Make sure to use full path if using cron
my $warning = " ";
my $inc = 0;
   if ($ARGV[0] =~ "-c")  {                               # -c for stored_md5 file creation or overwrite

       unlink $stored;

       open STORED,">>$stored";

       foreach $files(@files)  {

           my $md5sum = `md5sum $files`;

           print STORED "$md5sum";

           }

       close STORED;

       print "New md5sum file created as $stored\n";

       }

   elsif ($ARGV[0] =~ "-s")  {                            # -s to scan the files for changes

       open STORED,"$stored";

       @stored = <STORED>;

       close STORED;

       foreach $files(@files)  {

           my $md5sum = `md5sum $files`;

           chomp $md5sum;

           my @pieces = split("  ",$md5sum);

           my $n = $#stored;

           foreach(@stored) {

               chomp;

               my @stored_parts = split("  ",$_);

               if ($stored_parts[1] =~ $pieces[1]) {

                   $inc = 1;

                   if ($stored_parts[0] !~ $pieces[0]) {

                       $warning .= "Warning...$pieces[1] has been changed\n";

                       print "Warning...$pieces[1] has been changed\n";

                       }

                   }

               elsif ( ($inc == 0) ) {

                   if (!$n--)  {

                       $warning .= "Warning...$pieces[1] is a new file\n";

                       print "Warning...$pieces[1] is a new file\n";

                       }

                   }

               $inc = 0;

               }

           }

           if ($warning =~ /^\s$/)  {

               print "All seems well for the directories checked\n";

           }

           else  {

               print "Sending Email alert\n";

               &mailer;

               }

       }

#Subroutine for Mail, notifies on warning and critical levels.

sub mailer {

         open(MAIL, "|/usr/sbin/sendmail -t") or die "Cannot open sendmail!: $!";

         print MAIL "To: $email\n";

         print MAIL "From: $sysname\n";

         print MAIL "Subject: Warning Files have been changed\n\n";

         print MAIL "$warning";

         print MAIL "~" x 75, "\n","~" x 75,"\n","From system: $sysname";

         close(MAIL);

}

So, to use it, just set up the directories with the file extensions you are monitoring with the find commands for the @file<num> arrays. You can add as many as you like just make sure you tuck it into the @files array as well. Change the email address to one that you’ll recieve and run it with ./checkdir.pl -c to create the stored_md5s file. The file will contain entries like this:

f04249fa5a516b2f3a739c37124facac /somewhere/directory/index.php
184302cdf176b0e4691eb0b75582c899 /anotherdirectory/template.php

Then you can run a ./checkdir.pl -s to scan for changes, if it finds a changed file (or a new one) it will send an email. You can rebuild the hash file with the -c option, and use cron to automate.