[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Mon Mar 9 19:48:00 EDT 2009

Matt Juszczak <matt at atopia.net> wrote:

> > The only document you need is 'man mtree'.  There is no default mtree
> > specification file generated with at least sha256digest, and that's what
> > you need.  You also need to make sure to exclude (-X filename) any
> > directories with dynamically generated files.  For the overall security
> > of the site installing some type of WAF could help, like mod-security2.
> >
> > # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree
> >
> > # mtree -X mtree.exclude -p /path < host.mtree
> >
> > That's only two commands you need to know.  Of course you can script it
> > to send you alerts via email etc.
> >
> > --Andy
> Andy,
> Understood, but if I'm trying to compare files that came with the default 
> FreeBSD 6.3-RELEASE installation (to protect from rootkits), wouldn't 
> running a command on ANY 6.3-RELEASE install that I know to be correct 
> work?

Not really.  mtree(8) by default takes into account mtime, so if you
rebuilt the system at any given time, you need to start from scratch
with the new fresh specification file.

That's an example of mtree(8) specification:

 COPYRIGHT   mode=0444 size=6192 time=1233677486.0 \


More information about the talk mailing list