Skip to main content

Directory Checksum

Recently I found on some of my websites suspicious files. After some research I discovered that most of my custom html and php files were also modified and were containing base64 encoded code. So I decided to make universal script that will allow me to take site fingerprint and then manually check it for any changes in my files weekly. This php script takes md5sums of all files in directory specified (including subdirectories) and save the result in custom data file. The next time you run it it will show you new files, files that were not changed and files that WERE CHANGED. The output and some other options can be customized inside the code itself. Anyway if you have ssh access to your webserver, you can do almost the same by running


find test5 -type f | xargs md5sum


<?php
#comment this if you want to debug the script
error_reporting(0);
function lookDir($path) {
         $handle = @opendir($path);
         if (!$handle)
                 return false;
         while ($item = readdir($handle)) {
                 if ($item!="." && $item!="..") {
                         if (is_dir($path."/".$item))
                                 lookDir($path."/".$item);
                         else
                                 checkFile($path."/".$item);
                 }
         }
         closedir($handle);
         return true;
}

function checkFile($file) {
         global $hashes;
         global $output;
         global $force_update;
         if (is_readable($file))
                 if (!isset($hashes[$file])) {
                         $hashes[$file] =  md5_file($file);
                         if ($output["new"])
                                 echo $file."\t\tNew\n";
                 } elseif ($hashes[$file] == md5_file($file)) {
                         if ($output["success"])
                                 echo $file."\t\tSuccess\n";
                 }
                 else {
                         if ($output["failed"])
                                 if ($force_update) {
                                         $hashes[$file]=md5_file($file);
                                         echo $file."\t\tUpdate forced\n";
                                 }
                                 else
                                         echo $file."\t\tFailed!\n";
                 }
}

#directory for checking integrity
$dir = "./test5";

#file for storing fingerprints, should be writeable in case of fingerprints update
$file = "./fingerprints";

#set this value to false if you do not want to update fingerprints
$can_update = true;

#set this to value to true if you want to update fingerprints of modified files
#you should do this only if you had modified files yourself
$force_update = false;

#the output parameters
$output["new"] = true;
$output["success"] = true;
$output["failed"] = true;

header("Content-Type: text/plain");
$hashes = unserialize(file_get_contents($file));
if (!$hashes || !is_array($hashes))
         $hashes = array();
if (!lookDir($dir))
         echo "Could not open the directory ".$dir."\n";
if ($can_update)
         if (file_put_contents($file, serialize($hashes)))
                 echo "Fingerprints were updated\n";
         else
                 echo "The file cannot be opened for writing! Fingerprints were not updated\n";
else
         echo "Fingerprints were not updated\n";

?>

Labels:

Comments

Post a Comment

Popular posts from this blog

Increase USB Flash Drive Write Speed

The one of the biggest problems of usb flash drives is a slow data write speed. This article will guide you through the process that can possibly increase your flash stick write speed. Okay, first I bought Transcend 8GB usb flash stick. It had been formatted with FAT32 filesystem initially. So I decided to run data read/write speed test. Mount the filesystem and execute following # hdparm -t /dev/sdb /dev/sdb: Timing buffered disk reads: 102 MB in 3.05 seconds = 33.43 MB/sec $ dd count=100 bs=1M if=/dev/urandom of=/media/disk/test 100+0 records in 100+0 records out 104857600 bytes (105 MB) copied, 29.5112 s, 3.6 MB/s The disk read speed is good enough, but the write speed is not so good. That's because most of NAND flash drives (the most commonly used flash sticks) have 128k erase block size. Filesystems usually have 4k (4096 bytes) block size. And here we came into problem. If the filesystem blocks are not aligned to flash drive blocks, the performance overhead during disk writ...
43 comments
Read more

Mysqld-bin logs problem

After continuous running of Mysql server, I've noticed that /var/lib/mysql directory uses too much disk space. The reason of that problem was a set of mysqld-bin.xxxxxx files. Each of that file was 1GB in size. First I thought that I can stop the Mysql server and remove that files, but I didn't want to act this way because there was sensitive data in databases that I didn't want to loose. So I found the better way to achieve this. Connect to Mysql server and perform the following mysql> flush logs; mysql> reset master; That's it! After that the all logbin files should be removed. Also you can disable mysqld-bin logging completely by commenting out log-bin line in my.cnf and restarting Mysql server daemon.
11 comments
Read more

Compro VideoMate Vista M5F Linux Setup

If you've recently purchased Compro VideoMate Vista M5F tv tuner card and want to get it working on your linux machine, then you are just in a few steps before you will get this done. I bought this card two weeks ago and finally setup it yesterday. But don't be upset, this will not take so long for you. So lets begin. First check that you card is correctly plugged into the system # lspci -v 04:00.0 Multimedia controller: Philips Semiconductors SAA7131/SAA7133/SAA7135 Video Broadcast Decoder (rev d1) Subsystem: Compro Technology, Inc. VideoMate T750 Flags: bus master, medium devsel, latency 32, IRQ 21 Memory at 90100000 (32-bit, non-prefetchable) [size=2K] Capabilities: [40] Power Management version 2 Kernel driver in use: saa7134 Kernel modules: saa7134 If you see that then the card is connected and you can continue. On my linux distribution (Archlinux) the card is automatically detected as Compro VideoMate T750 and all required saa7134 modules are loaded. This is not right so ...
6 comments
Read more