Say you host a few web sites for various folks, and you give them write access to a directory on your server. Well, then, my friend, you’re as big a fool as I am.
Maybe you want to mitigate this foolhardiness by keeping an eye on what these folks upload. For example, when I see a user uploading SuperBulletinBoardThatIsTotallyNotASpamTool.php or SuperWordPressPasswordSharingPlugin.php, I can call them and explain why I’m deleting it. I can be a slightly-less-bastard operator from heck.
So here’s a quick bash script that I use. It’ll also help to alert you if somehow one of the WordPress sites gets compromised, and rogue php files get installed. It ignores commonly changing files or things we’re not interested in like images. It shouldn’t be considered an intrusion detection system, or a robust security auditing tool — this wouldn’t really help in the case of an actual hacker with any l33t skillz at all. It’s just a quick information source.
rm -f /tmp/fcl.txt
rm -f /tmp/fcld.txt
/usr/bin/find /var/www/ -type f -ctime -1 | /bin/egrep -v "\\.git|\\.svn|(*.jpg$)|(*.gif$)|(*.pdf$)|wp-content\\/cache|files\\/cache\\/zend_cache" > /tmp/fcl.txt
xargs -0 -n 1 ls -l < <(tr \\n \\0 /tmp/fcld.txt
[ -s /tmp/fcld.txt ] && /usr/bin/mail -aFrom:email@example.com -s "MYDOMAIN.COM FILES UPDATED" firstname.lastname@example.org < /tmp/fcld.txt
Throw it into a crontab, and there you have it. You'll get an email with a list of files changed in the past day.