Hi.
This will produce a list of changed files and it's not possible to put
the ctime back if you modify a file, it also ignores directories:
find /some/dir -ctime -1 \! -type d -print
-Craig
On 11/06/2009, at 9:07 AM, Wazzä wrote:
> One danger with this approach is if the intruder also modifies the
> timestamp(s) on the files at the same time.
>
> Cheers,
> Warren.
>
> 2009/6/10 Matias Gertel <[email protected]>
> What if you add a daily cron with a command like this:
>
> find /some/dir -mtime -1 -exec somescript.sh '{}' \;
>
> Where /some/dir is the dir you want to watch, and somescript.sh is a
> script that will email you when the file has changed. See "man find"
> for more options. You can set it to ignore files based on wildcards.
>
> Matias Gertel
> Freelance Web Development & Coding
> e: [email protected]
> m: +64 21 288 8840
> p: +64 9 838 3367
>
> On 10/06/2009, at 12:10 PM, chris burgess wrote:
>
>
> Yes, tools like diff and md5 would work and I expect will form the
> components of any solution. I figured that one of the popular IDS
> mechanisms might be well tuned for this use case, and that there'd be
> some folks on list using some similar solution (hand-rolled or of an
> existing project).
>
> Things like tripwire, rkhunter, etc focus on system binaries by
> default (some - I forget which - even go so far as to add a signature
> to the ELF header). If they're focused on binaries, they may not be so
> capable when handling executables for the web (by which I mean *.php
> and friends).
>
> Differences that spring to mind for web-based executables are: the
> large number of cross-referenced include files; ability to exclude
> cache directories (eg apps which generate cache-xxx.php files in a
> specific directory); different maintenance requirements of accepting
> (or not!) the fact that a customer has just uploaded 112 .inc and .php
> files when they downloaded phpbb2.
>
> So - my target here is easier management of a server where another
> admin is installing sites and modules of a popular CMS (and I'd like
> to be notified of what's being added), and notification if an intruder
> modifies any existing file as well.
>
>
>
>
>
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
-~----------~----~----~----~------~----~------~--~---
