centos监控web目录www下的文件是否被黑挂马的脚本

Posted 2021-03-01 xiami2046

、检查是否有安装inotify

rpm -qa inotify-tools

2、没有先安装epol源

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

3、安装

yum install inotify-tools -y

4、脚本

#!/bin/bash

CHECKDIR="/root/test"    #监控目录路径
LOG="/root/tmp/inot.log"        #日志存放路径


function CheckDir {
    inotifywait -mrq --timefmt ‘%y-%m-%d %H:%M‘  --format ‘%T %f %e‘ -e ‘create,delete,modify,moved_to‘ $CHECKDIR|while read event
    do 
        INO_TIME=$(echo $event | awk ‘{print $1,$2}‘)        # 把inotify输出切割 把时间部分赋值给INO_TIME
        INO_FILE=$(echo $event | awk ‘{print $3}‘)          # 把inotify输出切割 把文件路径部分赋值给INO_FILE
        INO_EVENT=$(echo $event | awk ‘{print $4}‘)         # 把inotify输出切割 把事件类型部分赋值给INO_EVENT        
        
        if [[ $INO_EVENT = ‘CREATE‘ ]] && [[ $INO_FILE != .* ]];then        # 判断事件类型(create)
            echo "`date ‘+%Y-%m-%d %H:%M‘` create file: $INO_FILE" >> $LOG
        elif [[ $INO_EVENT = ‘CREATE,ISDIR‘ ]];then
            echo "`date ‘+%Y-%m-%d %H:%M‘` create dir: $INO_FILE" >> $LOG
        fi
        
        if [[ $INO_EVENT = ‘DELETE‘ ]] && [[ $INO_FILE != .* ]];then        # 判断事件类型(delete)
            echo "`date ‘+%Y-%m-%d %H:%M‘` delete file: $INO_FILE" >> $LOG
        elif [[ $INO_EVENT = ‘DELETE,ISDIR‘ ]];then
            echo "`date ‘+%Y-%m-%d %H:%M‘` delete dir: $INO_FILE" >> $LOG
        fi
        
        if [[ $INO_EVENT = ‘MODIFY‘ ]] && [[ $INO_FILE != .* ]];then        # 判断事件类型(modify)
            echo "`date ‘+%Y-%m-%d %H:%M‘` modify file: $INO_FILE" >> $LOG
        fi

    done
}

CheckDir

5、运行脚本

1）测试： ./monitor.sh
2) 后台运行 nohup ./monitor.sh