This is inteded as a companion to maldet-per-user. This is intended to find and catalogue caches of symlinks. These caches of symlinks, are often associated with the existance of shell scripts and other nastyness on accounts and servers.
=Function=This script first creates a .pid file '''/var/run/symlinkhunter.pid'''. This file will contain the pid of the running script. It then checks the EasyApache logs for what SymlinkProtection was set to in the last five (5) runs of EasyApache. Next it will create a .lock file '''/var/run/symlinkhunter.pid'''. This will contain both the pid of the script and the name/location of the log file for this scan.
=The Script= To use, download and run from the server. http://axeblade.net/symlinkhunter.shsymlinkhunter.sh -h Usage: ./symlinkhunter.sh [OPTIONS] -f ... Fast Mode, set scan directory depth to 3 -t ... Threshold count of links to be logged -u ... User list:==Default Output==-h ... Print this help information and quit.
-------------------------------------------------------------------------------- Symlink Protection Status ---------------------------------------- "SymlinkProtection": Enabled :: 2015-10-13 "SymlinkProtection": Enabled :: 2015-10-13 "SymlinkProtection": Enabled :: 2015-11-25 "SymlinkProtection": Enabled :: 2016-01-18 "SymlinkProtection": Enabled :: 2016-01-18 -------------------------------------------------------------------------------- Symlink Search Results ---------------------------------------- 20000 :: /home/killingstroke/public_html/ -------------------------------------------------------------------------------- Scan log: /usr/local/symdetect/symlinkhunter_2016-01-27_6247.log ----------------------------------------==Example Option Usage==
# Limit scan depth to 3 folders past the public_html symlinkhunter.sh -f # Set a threshold count to actually log symlinkhunter.sh -t 10 # Scan only a subset of users symlinkhunter.sh -u user1,user2,user3=Logging= Logs are created in the folder '''/usr/local/symdetect/''' with the naming convention '''symlinkhunter_(date)_(pid).log'''. This nomenclature and the internal formatting does intentionally mimic the output of Maldet logs. Logs are intended to be more verbose than the output to the terminal. Logs will contain start and end time of the scan, along with a count per folder for the number of symlinks, and the total for the account.
/usr/local/symdetect/symlinkhunter_2016-01-27_6247.log -------------------------------------------------------------------------------- Symlink Protection Status ---------------------------------------- "SymlinkProtection": Enabled :: 2015-10-13 "SymlinkProtection": Enabled :: 2015-10-13 "SymlinkProtection": Enabled :: 2015-11-25 "SymlinkProtection": Enabled :: 2016-01-18 "SymlinkProtection": Enabled :: 2016-01-18 -------------------------------------------------------------------------------- Symlink Search Results ---------------------------------------- START_SCAN: 2016-01-27_18:33:29 20000 :: /home/killingstroke/public_html/ 10000 :: {SYM} :: /home/killingstroke/public_html/test1/ 10000 :: {SYM} :: /home/killingstroke/public_html/test2/ END_SCAN: 2016-01-27_18:33:31=Bugs=
I would love to get the '''-u''' flag to take regex and match groups of accounts. I have not figured out how to do this, so ... a feature request for the future.
Please submit any other bugs and/or feature requests to: mcunningham@liquidweb.com [[Category:Enterprise]]