Thursday, October 1, 2009

Directory Checksum

Recently I found on some of my websites suspicious files. After some research I discovered that most of my custom html and php files were also modified and were containing base64 encoded code. So I decided to make universal script that will allow me to take site fingerprint and then manually check it for any changes in my files weekly. This php script takes md5sums of all files in directory specified (including subdirectories) and save the result in custom data file. The next time you run it it will show you new files, files that were not changed and files that WERE CHANGED. The output and some other options can be customized inside the code itself. Anyway if you have ssh access to your webserver, you can do almost the same by running

find test5 -type f | xargs md5sum

#comment this if you want to debug the script
function lookDir($path) {
  $handle = @opendir($path);
  if (!$handle)
  return false;
  while ($item = readdir($handle)) {
  if ($item!="." && $item!="..") {
  if (is_dir($path."/".$item))
  return true;

function checkFile($file) {
  global $hashes;
  global $output;
  global $force_update;
  if (is_readable($file))
  if (!isset($hashes[$file])) {
  $hashes[$file] = md5_file($file);
  if ($output["new"])
  echo $file."\t\tNew\n";
  } elseif ($hashes[$file] == md5_file($file)) {
  if ($output["success"])
  echo $file."\t\tSuccess\n";
  else {
  if ($output["failed"])
  if ($force_update) {
  echo $file."\t\tUpdate forced\n";
  echo $file."\t\tFailed!\n";

#directory for checking integrity
$dir = "./test5";

#file for storing fingerprints, should be writeable in case of fingerprints update
$file = "./fingerprints";

#set this value to false if you do not want to update fingerprints
$can_update = true;

#set this to value to true if you want to update fingerprints of modified files
#you should do this only if you had modified files yourself
$force_update = false;

#the output parameters
$output["new"] = true;
$output["success"] = true;
$output["failed"] = true;

header("Content-Type: text/plain");
$hashes = unserialize(file_get_contents($file));
if (!$hashes || !is_array($hashes))
  $hashes = array();
if (!lookDir($dir))
  echo "Could not open the directory ".$dir."\n";
if ($can_update)
  if (file_put_contents($file, serialize($hashes)))
  echo "Fingerprints were updated\n";
  echo "The file cannot be opened for writing! Fingerprints were not updated\n";
  echo "Fingerprints were not updated\n";



Post a Comment