Click here to go to the Linux2000 homepage.

Linux Tips!
A script that will log files and then compare for hidden Trojan files
Submitted by Darrell Shifflett [email protected]

A perl script that logs file info and then later will compares the info to the current file properties and logs any changes. Useful for checking if directories have been tampered with, and/or find hidden unwanted files that may be damaging. Here is the script:
__________________________________________________________________

#!/usr/bin/perl
 # logfile is where any changes will be logged

$logfile = "/etc/projects/changes.log";

# filedata is where the data on the files is stored
$filedata = "/etc/projects/filedata";

# There is also an array further in the code that contains the dirs to check called @dirs.

&menu;
sub menu  {
$choice = "";
    print "Here are your options:\n";
    print "1 - record file data\n";
    print "2 - check files\n";
    print "3 - exit\n";
    print "Please enter your choice:";
    $choice = ;
    chop($choice);
    if ($choice eq "1") {
    &getdata
}
    if ($choice eq "2") {
    &chkfiles
    }
}

    sub getdata  {

# To add more dirs to record files in just add below

@dirs = ("/bin","/sbin","/lib");
    foreach $line (@dirs)  {
    @filelist = <$line/*>;
    foreach $line (@filelist)  {
    ($size,$mtime,$ctime)  =  (stat($line))[7,9,10];

# This path can be changed

open(DB,"$filedata");
    @recorded  =  ;
    close(DB);
    open(DB,">$filedata");
    foreach $line (@recorded)  {
    print DB "$line";
}
print DB "$line!$size!$mtime!$ctime\n";
print "$line: $size , $mtime , $ctime\n";
close(DB);
   }
}

&menu;     }
sub chkfiles  {
    $time = localtime(time);
    print "$time\n";
    ($day,$month,$nday,$tme,$year) = split(/ /,$time);
    print "$date\n";
    open(DB,"$filedata");
    @files = ;
    close(DB);
    foreach $line (@files)   {
    ($name,$osize,$omtime,$octime) = split(/!/,$line);
    chop($octime);
    print "Checking: $name\n";
    ($size,$mtime,$ctime) = (stat($name))[7,9,10];

if ($osize ne $size)  {
    open(LOG,"$logfile");
    @logged = ;
    close(LOG);
    open(LOG,">$logfile");
    foreach $line (@logged)  {
    print LOG "$line";
}
print LOG "$month $nday $tme ALERT: $name has changed size from $osize to $size!\n";

    close(LOG);
}
if ($omtime ne $mtime)  {
    open(LOG,"$logfile");
    @logged = ;
    close(LOG);
    open(LOG,">$logfile");
    foreach $line (@logged) {
    print LOG "$line";
}
print LOG "$month $nday $tme ALERT: $name has changed mtime from $omtime to $mtime!\n";
    close(LOG);
}
if ($octime ne $ctime) {
    open(LOG,"$logfile");
    @logged = ;
    close(LOG);
    open(LOG,">$logfile");
    foreach $line (@logged) {
    print LOG "$line";
}
print LOG "$month $nday $tme ALERT: $name has changed ctime from $octime to $ctime!\n";
    close(LOG);
   }
}
    print "All changes have been logged to: $logfile\n";
}

__________________________________________________________________

To see a plain text file click here
hosting by blueznet.com design © 1998-2003 by L2K Designs