Track file changes using MD5

Valic —  July 5, 2012 — Leave a comment

Most of Linux distributions comes with Linux Auditing Technique that makes it feasible to track file changes.

It’s a useful functionality for sysadmins who need to know who and when  changed sensitive files like /etc/passwd, /etc/sudoers or PHP files.

In the following tutorial I will show you how to track changes on your PHP files:

1. Fist step is creating a MD5 file that corresponding with your PHP files from your website. (for example from /var/www/debian-tutorials.com)

We will find all php file from /var/www/debian-tutorials.com and we wll create a MD5 for every file and save that md5 file in /root

find /var/www/debian-tutorials.com  -name “*.php”  | xargs md5sum > /root/md5-debian-tutorials

The file will look like this:

7a660918585d114e75de866b2363ccb5  /var/www/debian-tutorials.com/wp-feed.php
611f09646b0891395cda872b9f58d7c8  /var/www/debian-tutorials.com/wp-load.php
59a4204899537512b15f33062a5c1ea8  /var/www/debian-tutorials.com/wp-settings.php
fd56c54f2573cb2549fbee133e761577  /var/www/debian-tutorials.com/wp-register.php
236d21058a4c9485add042b901758a26  /var/www/debian-tutorials.com/wp-login.php
ea9fe4ee8673147855680efb745524d0  /var/www/debian-tutorials.com/wp-trackback.php
2569005d68a679280506406bd4f2f25d  /var/www/debian-tutorials.com/xmlrpc.php
3d8029c959f9acfaf01094c20f7b98cb  /var/www/debian-tutorials.com/wp-pass.php
173ae64f11cf5acea8c5b31302b85afe  /var/www/debian-tutorials.com/wp-mail.php
ca0484ca479e01e740119f89df056090  /var/www/debian-tutorials.com/index.php
e923e78ad84298aa64c3b3c3d117113a  /var/www/debian-tutorials.com/wp-blog-header.php
b146f7d11a18445e7612b5971c7d722d  /var/www/debian-tutorials.com/wp-activate.php
c6977e9cb42d4eaf434c8d4e433b83c7  /var/www/debian-tutorials.com/wp-comments-post.php

2. The final step is to compare an old MD5 file with a new MD5 file that you will create in the moment of  comparison:

Now we suppose that someone unwanted created a file called test.php.

When we will compare the old MD5 file with the new MD5 we will see immediately that test.php file was created.

create new MD5 :

find /var/www/debian-tutorials.com  -name “*.php”  | xargs md5sum > /root/md5-new

Compare MD5 files using diff command:

diff /root/md5-debian-tutorials  /root/md5-new > /root/md5-raport.log

The log will look like this:

root@# cat /root/md5-raport.log
5781a5782
> d41d8cd98f00b204e9800998ecf8427e  /var/www/debian-tutorials.com/test.php

Now you will immediately know that the test.php file was created without your authorization.

Optionally: you can crate a bash script to do this automatically and send a mail if something was changed.

Enjoy.

Valic

Posts Twitter Facebook

Editor in Chief at Debian-Tutorials, Linux enthusiast.

No Comments

Be the first to start the conversation.

Leave a Reply