From d604e9f3fcff6f84580be512b3b3f48819c07d05 Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Mon, 1 Feb 2016 11:06:19 +0100
Subject: docroot-checker records sha1sums to prevent rescanning the whole
 docroot next time

---
 php-malware-finder/docroot-check.sh | 38 +++++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh
index a5cce6e..4d280c2 100644
--- a/php-malware-finder/docroot-check.sh
+++ b/php-malware-finder/docroot-check.sh
@@ -1,21 +1,39 @@
 #!/usr/bin/env bash
 
+PATH=/usr/bin:/bin:/sbin:/usr/sbin
 apache_confdir="/etc/apache2/sites-available"
+pmf_conf="/etc/phpmalwarefinder/malwares.yara"
+pmf_cachedir="/tmp"
 
-# grab the different document roots 
+# grab the different document roots to scan each and everyone of them
 for docroot in $(grep -o 'DocumentRoot.*' $apache_confdir/* | \
-    awk '{if ($2 ~ "/data/www/*") print $2}') ; do
+               awk '{if ($2 ~ "/data/www/*") print $2}') ; do
     
-    pmf_output_dir=$(echo $docroot |egrep -o '[^/]*/[^/]*$')
-    mkdir -p /tmp/$pmf_output_dir
+  vhost_outdir=$(echo $docroot |egrep -o '[^/]*/[^/]*$')
+  mkdir -p $pmf_cachedir/$vhost_outdir
+  pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y")
+  last_pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y" --date="7 days ago")
 
+  # compute PHP files sha1sum and compare them to last report to reduce the
+  # amout of files yara has to scan
+  find $docroot -type f -iname "*php" -exec sha1sum {} \; > $pmf_sha1
+
+  if [ -f $last_pmf_sha1 ] ; then
+    diff -u $pmf_sha1 $last_pmf_sha1 | grep ^+[A-Z] | sed -e 's/^+[^\ ]*//g' > \
+    /tmp/diff.txt
+    for file in $(cat /tmp/diff.txt); do
+      yara $pmf_conf >> $pmf_cachedir/$vhost_outdir/cron.out 2>&1 
+    done
+  else
+  # first scan or last scan result is missing
     SAVEIFS=$IFS
     IFS=$(echo -en "\n\b")
-    find $docroot -type f -iname "*php" -exec yara /etc/phpmalwarefinder/malwares.yara {} > \
-    /tmp/$pmf_output_dir/cron.out 2>&1 \;
+    find $docroot -type f -iname "*php" -exec yara $pmf_conf {} > \
+    $pmf_cachedir/$vhost_outdir/cron.out 2>&1 \;
+  fi;
 
-    if [ -s /tmp/$pmf_output_dir/cron.out ]; then
-      cat /tmp/$pmf_output_dir/cron.out | \
-      mail -s "PMF REPORT:$(uname -n) DocumentRoot $docroot" jre@nbs-system.com
-    fi;
+  if [ -s $pmf_cachedir/$vhost_outdir/cron.out ]; then
+    cat $pmf_cachedir/$vhost_outdir/cron.out | \
+    mail -s "PMF REPORT:$(uname -n) DocumentRoot $docroot" jre@nbs-system.com
+  fi;
 done
-- 
cgit v1.3