Monitoring websites for exploits and malware

When you run a website, especially a CMS driven one – there are always opertunistic script kiddies looking to take advantage of known loopholes in your setup. There are a lot of ways to increase the security on your server and today we will discuss how to monitor your web folder for unexpected changes.

First up we are going to execute this command in your terminal:
find /var/www -type f -mtime -1 -print
That should print out all the files that have been modified or created in the last 24 hours in the /var/www/ directory.

Provided that works we will now make this execute daily and send you an email of the summary.

Navigate to your home folder and create a file called checkWebsiteFiles.

In this file we will put the following code:
wwwFiles=$(find /var/www -type f -mtime -1 -print)
/usr/sbin/sendmail "" <<EOF
subject:Todays web files that were monitored

Basically, the above script simply fires off an email to your account with the same output as we saw above. To test it you can simply run:

chmod 755

Now we need to make this happen daily on its own, so we add it to cron.

In Ubuntu all your cron jobs are located in /etc/cron.[daily|hourly|monthly|weekly]

To add our script to the daily cron, simply move it to the appropriate directory:

mv /home/youruser/checkWebsiteFiles /etc/cron.daily

You are now set up to receive daily notifications about modified files in your web directory. If you want to change it from daily to hourly then simply change the second line of checkWebsiteFiles to this:

wwwFiles=$(find /var/www -type f -mtime -0.042 -print)

You would then move the checkWebsiteFiles to the /etc/cron.hourly folder. You should notice that the 0.042 is actually just 1/24 (ie the number of hours in a day).

To learn how to simply backup your databases remotely, check out this tutorial.

Comments are closed.