Most of Linux distributions comes with Linux Auditing Technique that makes it feasible to track file changes.
It’s a useful functionality for sysadmins who need to know who and when changed sensitive files like /etc/passwd, /etc/sudoers or PHP files.
In the following tutorial I will show you how to track changes on your PHP files:
1. Fist step is creating a MD5 file that corresponding with your PHP files from your website. (for example from /var/www/debian-tutorials.com)
We will find all php file from /var/www/debian-tutorials.com and we wll create a MD5 for every file and save that md5 file in /root
find /var/www/debian-tutorials.com -name “*.php” | xargs md5sum > /root/md5-debian-tutorials
The file will look like this:
2. The final step is to compare an old MD5 file with a new MD5 file that you will create in the moment of comparison:
Now we suppose that someone unwanted created a file called test.php.
When we will compare the old MD5 file with the new MD5 we will see immediately that test.php file was created.
create new MD5 :
find /var/www/debian-tutorials.com -name “*.php” | xargs md5sum > /root/md5-new
Compare MD5 files using diff command:
diff /root/md5-debian-tutorials /root/md5-new > /root/md5-raport.log
The log will look like this:
root@# cat /root/md5-raport.log
> d41d8cd98f00b204e9800998ecf8427e /var/www/debian-tutorials.com/test.php
Now you will immediately know that the test.php file was created without your authorization.
Optionally: you can crate a bash script to do this automatically and send a mail if something was changed.