[nycbug-talk] Searching for suspect PHP files...
matt at atopia.net
Mon Mar 9 13:10:58 EDT 2009
> The only document you need is 'man mtree'. There is no default mtree
> specification file generated with at least sha256digest, and that's what
> you need. You also need to make sure to exclude (-X filename) any
> directories with dynamically generated files. For the overall security
> of the site installing some type of WAF could help, like mod-security2.
> # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree
> # mtree -X mtree.exclude -p /path < host.mtree
> That's only two commands you need to know. Of course you can script it
> to send you alerts via email etc.
Understood, but if I'm trying to compare files that came with the default
FreeBSD 6.3-RELEASE installation (to protect from rootkits), wouldn't
running a command on ANY 6.3-RELEASE install that I know to be correct
More information about the talk