Tag Archives: users creating new file- track them

Handy tool to monitor file creation in your server !

When you have a live server, there might be situations in which you or your clients would need to have a list of files which have been created. This can be very helpful for example when you have a backdoor to your server and to track and close any vulnerabilities within the server. These days we are seeing lots of malicious scripts being uploaded due to vulnerabilities in plugins or themes used for the CMS’s in the server. Tracking those locations manually can be a tedious job.

Luckily, you have a command ‘inotifywait’ to track the changes to a file or the file creation itself. Install inotifywait along with inotify-tools using the following command in a RPM based server :

# yum install inotify-tools

Once the installation is complete, go ahead and create a script like :

# vi /etc/init.d/inotifywaitd

#!/bin/bash

DIR="/root/newfiles"
INOTIFY_CMD="/usr/bin/inotifywait"

if [ $# != 1 ];then
echo "Usage: /etc/init.d/inotifywaitd {start|stop}"
exit 1
fi

if [ ! -d ${DIR} ];then
mkdir ${DIR}
fi
case $1 in

start)

for i in `ls -d /home/*/public_html`
do
user=$(echo "${i}"|cut -d\/ -f3)
${INOTIFY_CMD} -m -r -e create --format '%f' ${i} > ${DIR}/${user}&
done

;;

stop) pkill inotifywait ;;

*) echo "Usage: /etc/init.d/inotifywaitd {start|stop}" ;;

esac

# chmod 755 /etc/init.d/inotifywaitd

/etc/init.d/inotifywaitd start

The above script will monitor if there are any newly created files coming under the document root of each of the users and if there is a newly created file, it will report it as a line in the file  /root/newfiles/$username. This can become a really handy tool when you are going through an inspection phase in your server 😉