So I’ve seen these Wordpress plugins which check WP files for modifications and alert admin if any files are changed (or added or removed), but all those plugins are traversing whole directory tree in regular intervals, either with a script scheduled with cron job or (even worse) on each page load.
So I thought how that’s not very efficient and I’ve made this program which uses Linux inotifywait tool to monitor folder(s) for changes and responds on each modification. It is basically a program where you can define multiple folders (sites) to be watched, and whenever a file is removed, modified or added to the any of the watched folders the program will reverse the action, quarantine the modification/new file, and log it so you can allow it later if you want. It can watch all file types or only files of certain type (extension), and by default it’ll watch .php, .htm[l], .css, .js and .sql files only.
Here’s a demo:
It’s much faster than going through all the (sub)folders checking the files as it responds to file system changes (almost) in real-time. And it can be used for any site, not necessarily PHP-based or Wordpress powered site. One bonus option which is not shown in the demo above is ability to exclude any file/folder from the watched list so you can exclude e.g. cache folder which is constantly being changed.
So what do you think? Would anyone use this tool? Should I invest more time in this? If so, I’ll definitely need some help turning this into real linux service, as now it’s just a .sh file running in the background.
Out of interest another forum user wrote a file watching program a couple of years ago. I came across his website again last week by accident; but can not remember what it is called.
I would like to see that! If you could remember it that would be awesome! My search for similar programs yielded no results
Meanwhile I have noticed my code is pretty slow and figured out the reasons behind that:
My laptop is slow
I’m testing under vagrant, making everything much slower
I was using Laravel for command line actions, which has A LOT of things unnecessary for this kind of application
Now, I can’t resolve 1 and 2 immediately but I have started rewriting the app without using any framework, using only couple of Symfony components (only Console and Process so far) so instead of dragging (and bootstrapping) whole Laravel this will be much faster. And I will be able to pack it in a single file (phar), making it much easier to install and use it
Several years ago I started to workup a WordPress plugin to do similar.
At the time I was a very green OOP newbie and the code got to be such a heaping pile of steaming spaghetti that I abandoned it.
it ran only when admin initiated running the “check”
it recursively scanned files and compared their current hash values against those saved in a database table.
it saved whatever.php.bkp files to copy/rename/replace any changed files
checked for the presence of any new files and the absence of any “known” files.
TBH and in all humility I think the plugin had promise but it was such a mess I could not continue with it.
I think if you can have the “check” run on demand or at least an optional setting you just may find quite an interest in such a “hack recovery” oriented app.
Yeah, but there is so many those “on-demand” scanners (especially for Wordpress), and by on-demand I mean either manually initiating scan or scheduling it with e.g. cronjob. But it still leaves a “gap” between two scans for potential attackers to upload their malicious code and execute it.
My idea is to provide (nearly) real-time protection by relying to file system change notifications, in order to respond immediately and don’t allow attacker to perform his attack at all by reversing the create, modify and delete actions on files instantly. Each action is quarantined so you can allow it afterwards if you check and confirm it was legit.
Adding on-demand scan afterwards should be fairly easy, but that is not a priority for me right now.
It’s a Symfony Console application packed in a single phar file. Compared to previous version it’s lighting fast, as previous version was 40MB Laravel project and this one is just over 1MB, and previous version was actually a .sh file running inotifywait and running (and bootstrapping) my Laravel-CLI application on each file modification event, while this runs a inotifywait as a sub-process and reacts instantly on any file changes.
The drawback of that is - you must restart the application each time you make a modification to the app configuration.
It’s my first Symfony Console application so it’s most likely buggy and should not be used in production, at least not as a full-featured protection system, but I’d really like if someone would test it a little bit.
And I could really use some help on setting this as a real Linux service (so it starts on boot, restarts on crash and can be controlled with sudo service start|stop|restart|status guard. I have tried using daemonize and it seems it works (it is running) but I can’t get any other info and sudo service commands do not run
edit: FAIL! Just tried it on my live server and it installs but whenever I run it it just says “Segmentation fault” and exits. Looking into that right now… I have PHP 5.6 on my server and PHP 7 on my dev machine.
edit2: ionCube loader makes problems, disabling it makes it work as a breeze
