How do I find what PHP script is changing the file

Question

I have apache installed with mod_php PHP5.

I've been able to find out that apache process is changing my .htaccess and index.php files in /var/www directory. All files in this directory are owned by www-data:www-data and have ug=rwX,o=rX permissions.

It's obvious that some malware PHP script is doing this. How do I find it?

Here's the output of auditd:

time->Thu Jun 26 21:15:12 2014
type=PATH msg=audit(1403802912.787:936): item=0 name="/var/www/example/htdocs/index.php" inode=1182278 dev=ca:01 mode=0100404 ouid=33 ogid=33 rdev=00:00
type=CWD msg=audit(1403802912.787:936):  cwd="/var/www/example/htdocs"
type=SYSCALL msg=audit(1403802912.787:936): arch=c000003e syscall=90 success=yes exit=0 a0=7fac1ef5a128 a1=104 a2=7 a3=7fac0e1490c0 items=1 ppid=12397 pid=22347 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key=(null)

You shouldn't let the web server process write to any files in the web site directory unless it is needed. — Tero Kilkanen, Jun 26 '14 at 17:46

score 0 · Answer 1 · answered Jun 26 '14 at 17:46

0

Check your access logs around the time, maybe you can find something there.

answered Jun 26 '14 at 17:46

Tero Kilkanen

36,796
3
41
63

Thanks for your answer! I've got a lot of virtualhosts and access files are separate. Is there a way to monitor ALL HTTP requests in realtime? – Slava Fomin II Jun 26 '14 at 18:05

How do I find what PHP script is changing the file

1 Answers1