One danger with this approach is if the intruder also modifies the timestamp(s) on the files at the same time.
Cheers, Warren. 2009/6/10 Matias Gertel <[email protected]> > What if you add a daily cron with a command like this: > find /some/dir -mtime -1 -exec somescript.sh '{}' \; > > Where /some/dir is the dir you want to watch, and somescript.sh is a script > that will email you when the file has changed. See "man find" for more > options. You can set it to ignore files based on wildcards. > > *Matias Gertel* > Freelance Web Development & Coding > *e:* [email protected] > *m:* +64 21 288 8840 > *p:* +64 9 838 3367 > > On 10/06/2009, at 12:10 PM, chris burgess wrote: > > > Yes, tools like diff and md5 would work and I expect will form the > components of any solution. I figured that one of the popular IDS > mechanisms might be well tuned for this use case, and that there'd be > some folks on list using some similar solution (hand-rolled or of an > existing project). > > Things like tripwire, rkhunter, etc focus on system binaries by > default (some - I forget which - even go so far as to add a signature > to the ELF header). If they're focused on binaries, they may not be so > capable when handling executables for the web (by which I mean *.php > and friends). > > Differences that spring to mind for web-based executables are: the > large number of cross-referenced include files; ability to exclude > cache directories (eg apps which generate cache-xxx.php files in a > specific directory); different maintenance requirements of accepting > (or not!) the fact that a customer has just uploaded 112 .inc and .php > files when they downloaded phpbb2. > > So - my target here is easier management of a server where another > admin is installing sites and modules of a popular CMS (and I'd like > to be notified of what's being added), and notification if an intruder > modifies any existing file as well. > > > > > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
