Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Monitoring file changes and creation of new files.
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Monitoring file changes and creation of new files.

    Hello everyone,
    My wordpress site is sending spams. I've been logging which script is sending emails and I keep deleting the script. But, after a day or two another file is being created. I need to find the script or file which is creating those files.

    Is there any monitoring command or tool which I can setup to watch my wordpress directory to see which file is creating those scripts?

    Your help is much appreciated.

    Thanked by 1rokok

    Comments

    • perennateperennate Member, Provider
      edited January 2016

      http://www.lowendtalk.com/discussion/45156/how-to-get-alert-when-a-file-changes

      Edit: actually at best this will tell you the process that wrote, which isn't useful since it's all PHP. Will post if I think of something else.

      Thanked by 1nehafarzana80
    • GM2015GM2015 Member
      edited January 2016

      Is it being created in the same folder?

      chmod 0000 -R /path/2/folder could help prevent it being created.

      But that doesn't help.

      Go give Vultr(referral) a try. | GNU/Linux http://debian.org

    • Wordfence will notice you when a while changes.

    • afick / tripwire

      How to clean up a questionable reputation: throw the kids some BF/CM offers.

    • Update your plugins/themes, get rid of anything nulled and you should be OK.

      How to clean up a questionable reputation: throw the kids some BF/CM offers.

    • perennateperennate Member, Provider
      edited January 2016

      Here's one way that doesn't need any monitoring, but it isn't guaranteed to correctly identify:

      1) Run stat on the file that was created and get the modify/change timestamp (IIRC change timestamp is more difficult to tamper with than modify timestamp)

      2) Check your web server logs for requests around that timestamp

      3) Debug from there

      This is probably what you want to resolve the current security issue. For future security issue you may still want monitoring, but it will be difficult to get the monitoring to tell you exactly what PHP code or client IP triggered change.

      Edit: actually for future what GM2015 said is more effective, web server should not be able to write it's own code.

      Thanked by 1nehafarzana80
    • ATHKATHK Member
      edited January 2016

      Cloudflare won't let me paste the code here :(

      Anyway this works great for me.

      http://pastebin.com/SKUFZeFA

    • sinsin Member
      edited January 2016

      Save your mysql database, wp-config.php, and uploads folder (make sure there's nothing malicious in the those, regenerate salt for wp-config and change password) and download a fresh copy of Wordpress, plugins, and themes.

      But if you insist on keeping the current install you could use maldet with inotify-tools to monitor the directory for all changes.

    • @sin suggestion probably the best. Also check if you have other sites in that same account, I've experienced an instance where another site got hacked and the hacker inject codes to other sites in that same hosting account.

      Thanked by 1sin
    Sign In or Register to comment.