Check whether the file has been tampered with (the server is hacked)

1. Store fingerprint information of all files of the project before release
#First use md5sum to verify the code #Website
root directory path
src="/home/wwwroot/bbs/"
#Fingerprint file
backup="/server/backup_code"
if [! -D $ backup] ;then
mkdir -p $backup
find $src -type f |xargs md5sum> $backup/md5sum.code
fi #Make
a statistics of all files in the root directory of the website (you can check to add or delete files)
find $ src -type f> $backup/check_site.log
2, proofreading file fingerprint
src="/home/wwwroot/bbs/"
backup="/server/backup_code"
logs="/tmp/check_logs"
src_count= cat $backup/check_site.log |wc -l
while true
do
check_fail= #Check md5sum -c $backup/md5sum.code 2>/dev/null | grep -i "failed"if it failed
fail_count = #Failed md5sum -c $backup/md5sum.code 2>/dev/null | grep -i "failed"|wc -lcount
find $src -type f> $backup/new_site.log
#Summary all files under the current project new_count = #Total cat $backup/new_site.log | wc -lnumber of current project files
if [${fail_count} -ne 0] || [${new_count} -ne ${src_count}] #The number of comparison failures is not less than 0 or the total number of current files is not equal to the total number of original files
then
echo ${check_fail}> $logs
#Print the diff that failed the comparison $backup/check_site.log $backup/new_site.log >> $logs #Print the different file names for the comparison
mail -s “the root is changed” [email protected] <$logs # Send log content to mail
fi
sleep 300 #Proofread once every 300s
done
analysis:
src, backup, logs are the root directory path of the website, the path of the backup file and append the modified content to the file
#Verify the modified code file
check_fail= #Calculate the md5sum -c $backup/md5sum.db 2>/dev/null | grep -i "failed"
number of modified codes and source codes
fail_count= src_count= md5sum -c $backup/md5sum.db 2>/dev/null | grep -i "failed"|wc -l
#Calculate cat $backup/check_site.log |wc -l
the number of current website files
find $src -type f> $backup/new_site.log
new_count= #If the cat $backup/new_site.log |wc -l
modified code is not equal to 0 Or the number of current code files is not equal to the number of previous files, which proves that the website has been tampered with, and then append the modified content to the file and send an email
if [ ${fail_count} -ne 0 ] || [ ${new_count} -ne ${src_count} ]
then
echo ${check_fail} > $logs
diff $backup/check_site.log $backup/new_site.log >> $logs
mail -s “the root is changed” [email protected] < $logs
fi
引:https://www.ninexin.com/news/xingyexinwen/2019/1027/3371.html