New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Monitoring file changes and creation of new files.
nehafarzana80
Member
in Help
Hello everyone,
My wordpress site is sending spams. I've been logging which script is sending emails and I keep deleting the script. But, after a day or two another file is being created. I need to find the script or file which is creating those files.
Is there any monitoring command or tool which I can setup to watch my wordpress directory to see which file is creating those scripts?
Your help is much appreciated.
Thanked by 1rokok
Comments
http://www.lowendtalk.com/discussion/45156/how-to-get-alert-when-a-file-changes
Edit: actually at best this will tell you the process that wrote, which isn't useful since it's all PHP. Will post if I think of something else.
Is it being created in the same folder?
chmod 0000 -R /path/2/folder could help prevent it being created.
But that doesn't help.
Wordfence will notice you when a while changes.
afick / tripwire
Update your plugins/themes, get rid of anything nulled and you should be OK.
Here's one way that doesn't need any monitoring, but it isn't guaranteed to correctly identify:
1) Run stat on the file that was created and get the modify/change timestamp (IIRC change timestamp is more difficult to tamper with than modify timestamp)
2) Check your web server logs for requests around that timestamp
3) Debug from there
This is probably what you want to resolve the current security issue. For future security issue you may still want monitoring, but it will be difficult to get the monitoring to tell you exactly what PHP code or client IP triggered change.
Edit: actually for future what GM2015 said is more effective, web server should not be able to write it's own code.
Cloudflare won't let me paste the code here
Anyway this works great for me.
http://pastebin.com/SKUFZeFA
Save your mysql database, wp-config.php, and uploads folder (make sure there's nothing malicious in the those, regenerate salt for wp-config and change password) and download a fresh copy of Wordpress, plugins, and themes.
But if you insist on keeping the current install you could use maldet with inotify-tools to monitor the directory for all changes.
@sin suggestion probably the best. Also check if you have other sites in that same account, I've experienced an instance where another site got hacked and the hacker inject codes to other sites in that same hosting account.