2

Possible Duplicate:
My server’s been hacked EMERGENCY

There is a file that keeps infected with this code. I can't figure out why. So I want to log who upload or change the file. Is there a way to log who upload or change a spesific file?

PS: There is no FTP login. We only use SSH and Plesk.

Community
  • 1
nahha
  • 97
  • 1
  • 8

2 Answers2

5

Yes, there is. The audit subsystem has some pretty neat accounting features.

Running the following command will audit changes to the file:

auditctl -w /my/specificly/modified/file.txt -p w -k "suspect file change"

This will setup a watch on this file, whenever it is modified by a write the change will be logged, and be logged quite extensively.

You can check the logs doing:

ausearch -i -k "suspect file change"

This will return output such as:

type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=1 name=/tmp/test.txt inode=5767528 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 
type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=0 name=/tmp/ inode=5767169 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 
type=CWD msg=audit(05/08/2012 17:32:32.353:13118) :  cwd=/home/matthew/Testbed/C/fanotify 
type=SYSCALL msg=audit(05/08/2012 17:32:32.353:13118) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0xb540c0 a2=0x0 a3=0x7fff50cfba20 items=2 ppid=13699 pid=2773 auid=matthew uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=rm exe=/usr/bin/rm subj=staff_u:sysadm_r:sysadm_t:s0 key=some file

If you want something stronger, you can go for something that, say watches for any deletions by a user not normally inclined to do that. For performance the more specific the rule the better..

auditctl -a exit,always -F arch=b64 -S unlink -S rmdir -F auid=78 -F dir=/var/www/vhost

The -F defines the filters and the -S defines the syscalls, the more filters the less intensive it is on the kernel to track it. So in this case I filter on the user (apache), the vhosts directory and arch. Arch becomes important b64 being 64 bit b32 for 32 bit.

You can set these up long-term by putting the rules in /etc/audit.rules.

Matthew Ife
  • 23,357
  • 3
  • 55
  • 72
  • And with `auditctl -l` command can see all rules. And so with these commands can remove rules for no watch files: `auditctl -W /my/specificly/modified/file.txt -p w -k "suspect file change"` and `auditctl -d exit,always -F arch=b64 -S unlink -S rmdir -F auid=78 -F dir=/var/www/vhost` – Nabi K.A.Z. Dec 18 '16 at 21:28
  • `auditctl -D` for delete all rules. – Nabi K.A.Z. Dec 18 '16 at 22:00
2

Since you're using CentOS, this is something you could use SELinux for. You could re-label the file in question as something like httpd_config_t like so: chcon -v --type=httpd_config_t /the/html/file/in/question.html

Then SELinux will log an error to /var/log/audit/audit.log . If you're running SELinux in "permissive" mode it will allow the change; if you're running in "enforcing" mode, it will not allow the change.

Take a look at: http://wiki.centos.org/HowTos/SELinux to learn more. Note: by default, SELinux is running and enforcing in CentOS, so you should just have to change the label on this one file.

Nada
  • 996
  • 7
  • 9