Tripwire

A PHP script, designed to be run by a cron job, which detects files which have been added, deleted or modified since the previous execution of the script. Sends emails with a summary of changes. Great for detecting malicious activity (hacking, unauthorised access other hacker actions).

Uses

Wordpress virus guard. I have seen a virus which will rewrite your php files documented here.

Malicious Uploads. This script will tell you anytime a file is added/removed/modified. This can get annoying, but between the settings available in Tripwire, and your own email filters, you should be able to come up with a nice solution.

Installation

Download this repo as a zip and install on your server, or use a git pull.

In terminal, run:

cd ~

git clone https://github.com/polyesterhat/Tripwire.git tripwire

cd tripwire

git submodule init && git submodule update

cp tripwire_config.sample.ini tripwire_config.ini

That last command will make an untracked config file (which is good). Now, configure the tripwire_config.ini file (ini file info here). At least put in your own email address and customize the paths array so the script knows which directories to watch.

Set up the Crontab (cronjob)

crontab -e

This will open a VI editor. And paste in:

*/15 * * * *  /usr/bin/php /path/to/Tripwire/tripwire.php

If you don't know how to use vi, just remember, hit the i key to start typing or pasting, and then hit Esc and Ctrl + ; to enter command mode, and once in command mode type wq and hit Enter. This will save and exit.

15 is the number of minutes tripwire should wait, if you want 5, put a 5 instead of a 15. More information here.