Cron job to check for code changes?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
latristesse
Joomla! Explorer
Joomla! Explorer
Posts: 270
Joined: Mon Dec 12, 2005 9:59 pm

Cron job to check for code changes?

Post by latristesse » Sun Jun 15, 2008 9:44 pm

I have a site that's been hacked twice (despite implementation of nearly all recommended security measures). I am wondering how to write a cron job to automatically either check my files for changes, or folders for new files, or index.php for updates or something so that I can know about the hack attack before anyone else does should it happen again. I know how to cron jobs in cpanel but I don't know how to write the php code to do the checking for changes - here is a php file written for Wordpress: http://www.theblog.ca/file-change-notifications. Would this work for Joomla?

user deleted

Re: Cron job to check for code changes?

Post by user deleted » Mon Jun 16, 2008 6:47 am

Hi,

I think it ought to work, it just looks at files changed in the last 62 minutes and reports them through e-mail. All you need to do is adjust a relative path and probably the mail address. You could test it by altering a file yourself, that should get reported by the script.

By the way, nice find!

latristesse
Joomla! Explorer
Joomla! Explorer
Posts: 270
Joined: Mon Dec 12, 2005 9:59 pm

Re: Cron job to check for code changes?

Post by latristesse » Mon Jun 16, 2008 4:33 pm

This code works but I would like to exclude a couple of directories from the cron because they're always being updated (namely sh404SEF stuff) and I can't figure out the linux syntax for exclusion or how to include that in the main exec command.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Cron job to check for code changes?

Post by mandville » Mon Jun 16, 2008 6:29 pm

there is a much easier one line code to use which checks for mtime and ctime .,
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

latristesse
Joomla! Explorer
Joomla! Explorer
Posts: 270
Joined: Mon Dec 12, 2005 9:59 pm

Re: Cron job to check for code changes?

Post by latristesse » Mon Jun 16, 2008 9:43 pm

What is that and what does it do?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Cron job to check for code changes?

Post by mandville » Tue Jun 17, 2008 9:30 am

there are several options that can be done, but be prepared for several

set up a cron job with the following line

Code: Select all

find \public_html -type f -mtime -1 -exec ls -ls {} \;
this will produce a report line similar to this

Code: Select all

-rw-rw-rw-  1 nobody nobody 341 Jun 16 09:13 public_html/goss/cache/sql_d08dfb.php
a code like this

Code: Select all

find \public_html -mtime -1
will result in an email as sparse as this

Code: Select all

 public_html/cam.jpg
there are different variations you can use and will all depend on the level of reporting you require. this helps on chcecking for modifications and creations but obviously user input is required on reading the emails!
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

latristesse
Joomla! Explorer
Joomla! Explorer
Posts: 270
Joined: Mon Dec 12, 2005 9:59 pm

Re: Cron job to check for code changes?

Post by latristesse » Tue Jun 17, 2008 3:31 pm

The guy who developed the original script for checking for changed files had an example for modifying the exec command so that certain files or folders are excluded:

Code: Select all

exec('find /home/username/public_html -name error_log -prune -o -path \'/home/username/public_html/components/com_sef\' -prune -o -cmin -62 -print', $last_changed);
This works very well - just make if setting up the cron tab through cpanel that you leave the email address blank or else you will be receiving emails every hour when the script runs.

Here is my entire script:

Code: Select all

<?php

/*
This file e-mails you a list of all modified files in a certain directory
Run this file via cron every hour

"Find" shell command code syntax from:
http://www.mydigitallife.info/2006/01/19/find-files-that-are-modified-today-or-since-certain-time-ago-in-unix/
and from:
http://linux.about.com/od/commands/l/blcmdl1_find.htm
*/

// Shell command that finds all files below a certain directory that modified within the last 62 minutes
// Replace the file path (absolute or relative to this script's location) as necessary
exec('find /home/username/public_html/ -name error_log -prune -o -path \'/home/username/public_html/administrator/components/com_sef\' -prune -o -path \'/home/username/public_html/components/com_sef\' -prune -o -cmin -62 -print', $last_changed);

// Only e-mail the results if anything has changed
if ( count ( $last_changed ) > 0 ) {

    // E-mail settings
    $sendto = "E-mail receiver <[email protected]>";
    $sendfrom = "File change script <[email protected]>";
    $sendsubject = "yoursite.com file change notice";

    // Results of files last modified
    $email_output = 'Files modified in the last hour:';
    $email_output .= "\n";
    $email_output .= "\n";
    $last_changed_files = implode ( "\n", $last_changed);
    $email_output .= $last_changed_files;

    // Mail the file
    // You can also use the PEAR Mail package (http://pear.php.net/package/Mail) or a similar script for more robust mailing

    // Line break, which we will used for the headers
    $send_eol = "\r\n";

    $send_headers = 'From: ' . $sendfrom . $send_eol;
    $send_headers .= 'Reply-To: ' . $sendfrom . $send_eol;
    $send_headers .= 'Return-Path: ' . $sendfrom . $send_eol;

    // Send!
    mail($sendto, $sendsubject, $email_output, $send_headers);
}
?>

eccesignum
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jun 10, 2011 11:38 pm

Re: Cron job to check for code changes?

Post by eccesignum » Sat Jun 11, 2011 12:37 am

Thanks for the above code (read the thread with much interest). I had issues getting it to work on one of my sites but am almost there. I have my cron job running every 15 minutes and within 20 minutes of a RFI I was back up and running again.

I changed the script slightly as was getting errors and wondering if its possibe to parameratise<sp> the folders to prune? or, to be able to have each folder exclusion on a seperate line (I've tried loads of ways but it keeps on throwing errors). this is my current string...

exec('find /home/secret/public_html -name com_akeeba -prune -o -name cache -prune -o -name error_log -prune -o -name rsgallery -prune -o -name logs -prune -o -name com_sh404sef -prune -o -type f -cmin -17 -print', $last_changed);

latristesse
Joomla! Explorer
Joomla! Explorer
Posts: 270
Joined: Mon Dec 12, 2005 9:59 pm

Re: Cron job to check for code changes?

Post by latristesse » Sun Jun 12, 2011 4:08 am

I'm not sure this works with PHP 5.3 - if anybody has any suggestions for how to get it to comply with PHP 5.3, please post them here. Meanwhile I will keep researching....

buddha348
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Sep 15, 2011 12:26 am

Re: Cron job to check for code changes?

Post by buddha348 » Thu Sep 15, 2011 12:38 am

Could not open input file: /home/allweb/public_html/cron.php


I keep getting the error above, has anyone got a solution?
I have been searching but most of the solutions don't seem to work
Advise would be most welcome.


Locked

Return to “Security in Joomla! 1.5”