Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Monitoring file changes and creation of new files.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Monitoring file changes and creation of new files.

Hello everyone,
My wordpress site is sending spams. I've been logging which script is sending emails and I keep deleting the script. But, after a day or two another file is being created. I need to find the script or file which is creating those files.

Is there any monitoring command or tool which I can setup to watch my wordpress directory to see which file is creating those scripts?

Your help is much appreciated.

Thanked by 1rokok

Comments

  • perennateperennate Member, Host Rep
    edited January 2016

    http://www.lowendtalk.com/discussion/45156/how-to-get-alert-when-a-file-changes

    Edit: actually at best this will tell you the process that wrote, which isn't useful since it's all PHP. Will post if I think of something else.

    Thanked by 1nehafarzana80
  • GM2015GM2015 Member
    edited January 2016

    Is it being created in the same folder?

    chmod 0000 -R /path/2/folder could help prevent it being created.

    But that doesn't help.

  • Wordfence will notice you when a while changes.

  • afick / tripwire

  • Update your plugins/themes, get rid of anything nulled and you should be OK.

  • perennateperennate Member, Host Rep
    edited January 2016

    Here's one way that doesn't need any monitoring, but it isn't guaranteed to correctly identify:

    1) Run stat on the file that was created and get the modify/change timestamp (IIRC change timestamp is more difficult to tamper with than modify timestamp)

    2) Check your web server logs for requests around that timestamp

    3) Debug from there

    This is probably what you want to resolve the current security issue. For future security issue you may still want monitoring, but it will be difficult to get the monitoring to tell you exactly what PHP code or client IP triggered change.

    Edit: actually for future what GM2015 said is more effective, web server should not be able to write it's own code.

    Thanked by 1nehafarzana80
  • ATHKATHK Member
    edited January 2016

    Cloudflare won't let me paste the code here :(

    Anyway this works great for me.

    http://pastebin.com/SKUFZeFA

  • sinsin Member
    edited January 2016

    Save your mysql database, wp-config.php, and uploads folder (make sure there's nothing malicious in the those, regenerate salt for wp-config and change password) and download a fresh copy of Wordpress, plugins, and themes.

    But if you insist on keeping the current install you could use maldet with inotify-tools to monitor the directory for all changes.

  • @sin suggestion probably the best. Also check if you have other sites in that same account, I've experienced an instance where another site got hacked and the hacker inject codes to other sites in that same hosting account.

    Thanked by 1sin
Sign In or Register to comment.