diff options
| author | Julien "shaddai" Reveret | 2016-02-01 11:06:19 +0100 |
|---|---|---|
| committer | Julien "shaddai" Reveret | 2016-02-01 11:06:19 +0100 |
| commit | d604e9f3fcff6f84580be512b3b3f48819c07d05 (patch) | |
| tree | 852e709b9920b85a02edd129b56ad50cd0f4ffed | |
| parent | d3e4592a03aad6303da38f2b6143b2c04c3a1073 (diff) | |
docroot-checker records sha1sums to prevent rescanning the whole docroot next time
| -rw-r--r-- | php-malware-finder/docroot-check.sh | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh index a5cce6e..4d280c2 100644 --- a/php-malware-finder/docroot-check.sh +++ b/php-malware-finder/docroot-check.sh | |||
| @@ -1,21 +1,39 @@ | |||
| 1 | #!/usr/bin/env bash | 1 | #!/usr/bin/env bash |
| 2 | 2 | ||
| 3 | PATH=/usr/bin:/bin:/sbin:/usr/sbin | ||
| 3 | apache_confdir="/etc/apache2/sites-available" | 4 | apache_confdir="/etc/apache2/sites-available" |
| 5 | pmf_conf="/etc/phpmalwarefinder/malwares.yara" | ||
| 6 | pmf_cachedir="/tmp" | ||
| 4 | 7 | ||
| 5 | # grab the different document roots | 8 | # grab the different document roots to scan each and everyone of them |
| 6 | for docroot in $(grep -o 'DocumentRoot.*' $apache_confdir/* | \ | 9 | for docroot in $(grep -o 'DocumentRoot.*' $apache_confdir/* | \ |
| 7 | awk '{if ($2 ~ "/data/www/*") print $2}') ; do | 10 | awk '{if ($2 ~ "/data/www/*") print $2}') ; do |
| 8 | 11 | ||
| 9 | pmf_output_dir=$(echo $docroot |egrep -o '[^/]*/[^/]*$') | 12 | vhost_outdir=$(echo $docroot |egrep -o '[^/]*/[^/]*$') |
| 10 | mkdir -p /tmp/$pmf_output_dir | 13 | mkdir -p $pmf_cachedir/$vhost_outdir |
| 14 | pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y") | ||
| 15 | last_pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y" --date="7 days ago") | ||
| 11 | 16 | ||
| 17 | # compute PHP files sha1sum and compare them to last report to reduce the | ||
| 18 | # amout of files yara has to scan | ||
| 19 | find $docroot -type f -iname "*php" -exec sha1sum {} \; > $pmf_sha1 | ||
| 20 | |||
| 21 | if [ -f $last_pmf_sha1 ] ; then | ||
| 22 | diff -u $pmf_sha1 $last_pmf_sha1 | grep ^+[A-Z] | sed -e 's/^+[^\ ]*//g' > \ | ||
| 23 | /tmp/diff.txt | ||
| 24 | for file in $(cat /tmp/diff.txt); do | ||
| 25 | yara $pmf_conf >> $pmf_cachedir/$vhost_outdir/cron.out 2>&1 | ||
| 26 | done | ||
| 27 | else | ||
| 28 | # first scan or last scan result is missing | ||
| 12 | SAVEIFS=$IFS | 29 | SAVEIFS=$IFS |
| 13 | IFS=$(echo -en "\n\b") | 30 | IFS=$(echo -en "\n\b") |
| 14 | find $docroot -type f -iname "*php" -exec yara /etc/phpmalwarefinder/malwares.yara {} > \ | 31 | find $docroot -type f -iname "*php" -exec yara $pmf_conf {} > \ |
| 15 | /tmp/$pmf_output_dir/cron.out 2>&1 \; | 32 | $pmf_cachedir/$vhost_outdir/cron.out 2>&1 \; |
| 33 | fi; | ||
| 16 | 34 | ||
| 17 | if [ -s /tmp/$pmf_output_dir/cron.out ]; then | 35 | if [ -s $pmf_cachedir/$vhost_outdir/cron.out ]; then |
| 18 | cat /tmp/$pmf_output_dir/cron.out | \ | 36 | cat $pmf_cachedir/$vhost_outdir/cron.out | \ |
| 19 | mail -s "PMF REPORT:$(uname -n) DocumentRoot $docroot" jre@nbs-system.com | 37 | mail -s "PMF REPORT:$(uname -n) DocumentRoot $docroot" jre@nbs-system.com |
| 20 | fi; | 38 | fi; |
| 21 | done | 39 | done |