Thursday, October 1, 2009

Directory Checksum

Recently I found on some of my websites suspicious files. After some research I discovered that most of my custom html and php files were also modified and were containing base64 encoded code. So I decided to make universal script that will allow me to take site fingerprint and then manually check it for any changes in my files weekly. This php script takes md5sums of all files in directory specified (including subdirectories) and save the result in custom data file. The next time you run it it will show you new files, files that were not changed and files that WERE CHANGED. The output and some other options can be customized inside the code itself. Anyway if you have ssh access to your webserver, you can do almost the same by running


find test5 -type f | xargs md5sum


<?php
#comment this if you want to debug the script
error_reporting(0);
function lookDir($path) {
  $handle = @opendir($path);
  if (!$handle)
  return false;
  while ($item = readdir($handle)) {
  if ($item!="." && $item!="..") {
  if (is_dir($path."/".$item))
  lookDir($path."/".$item);
  else
  checkFile($path."/".$item);
  }
  }
  closedir($handle);
  return true;
}

function checkFile($file) {
  global $hashes;
  global $output;
  global $force_update;
  if (is_readable($file))
  if (!isset($hashes[$file])) {
  $hashes[$file] = md5_file($file);
  if ($output["new"])
  echo $file."\t\tNew\n";
  } elseif ($hashes[$file] == md5_file($file)) {
  if ($output["success"])
  echo $file."\t\tSuccess\n";
  }
  else {
  if ($output["failed"])
  if ($force_update) {
  $hashes[$file]=md5_file($file);
  echo $file."\t\tUpdate forced\n";
  }
  else
  echo $file."\t\tFailed!\n";
  }
}

#directory for checking integrity
$dir = "./test5";

#file for storing fingerprints, should be writeable in case of fingerprints update
$file = "./fingerprints";

#set this value to false if you do not want to update fingerprints
$can_update = true;

#set this to value to true if you want to update fingerprints of modified files
#you should do this only if you had modified files yourself
$force_update = false;

#the output parameters
$output["new"] = true;
$output["success"] = true;
$output["failed"] = true;

header("Content-Type: text/plain");
$hashes = unserialize(file_get_contents($file));
if (!$hashes || !is_array($hashes))
  $hashes = array();
if (!lookDir($dir))
  echo "Could not open the directory ".$dir."\n";
if ($can_update)
  if (file_put_contents($file, serialize($hashes)))
  echo "Fingerprints were updated\n";
  else
  echo "The file cannot be opened for writing! Fingerprints were not updated\n";
else
  echo "Fingerprints were not updated\n";

?>

0 Comments:

Post a Comment