Get notified when a file got uploaded to server by email

Question

my server is hacked and I want a script or anything to get notified by email when any file uploaded or modified in my website I looked at https://stackoverflow.com/questions/35196640/get-notified-when-a-file-got-uploaded-to-server and Best way to monitor file system changes in linux But I didn't understand the way can you guide me step by step please ?

Answer 1

I have a simple solution, which also keeps backups of my own changes to the CMS. It works for all the websites I manage (about a dozen, some flat HTML, some Joomla, some Wordpress, on a few different hosts. This has saved me dozens of times, from user error ("hi, I updated my wordpress template and now the whole site is broken") to server-wide hacks ("dear hosting customer, our Plesk was hacked recently, please change all your passwords and check the contents of your sites").

The only requirement : you need access to a Linux machine which is on at least once a day. For me it's the desktop I use every day, but you could run this on your web server itself.

Anyway, here it is:

• set up all your FTP sites as bookmarks in lftp
• set up local git repositories for each of the sites you host (git init && git commit -m "first commit")
• make sure that cron is running (on most systems it is), and that it can email you the results of each job (you'll probably have to redirect you@localhost to your public email address)
• add this line to crontab

51 03 * * * ~/bin/updateMirrors.sh

• and save this file as ~/bin/updateMirrors.sh

  #!/bin/bash    
  # step through the list of FTP bookmarks, mirror each one.
  # seems to take anywhere from 2 to 10 hours
  # cron should email the results to you@localhost
  
  while read SITE; 
    do NAME=`echo $SITE|cut -d' ' -f1`;
    echo $NAME `date` ;
    cd ~/$NAME/httpdocs;
    # if there's hackage, try this without the -X *-cache-* lines (someone might evilly install a trojan that looks like a cache file)
    lftp $NAME -e "mirror --verbose -X *-cache-*;quit"|grep -E "Transfer|Permission";
    git add . && git commit -m "updateMirrors.sh"
    echo ---------------------------------------------------------------------------
  done <~/.lftp/bookmarks
  
  ## if you find hackage, do this:
  ## git log --name-only
  ## git checkout [last uuid before hacking started]
  ## lftp and mirror -eR --exclude .git*
  

For the last couple of years, every single morning, I get an email in my inbox which looks like this :

wecan.be Tuesday 29 November 05:15:59 AEDT 2016 On branch master nothing to commit, working directory clean
---------------------------------------------------------------------------
handyWarhols Tuesday 29 November 05:17:46 AEDT 2016 On branch master nothing to commit, working directory clean
---------------------------------------------------------------------------
colbourneave Tuesday 29 November 05:17:53 AEDT 2016 Transferring file `components/com_content/models/cache.db'
Transferring file `logs/error.php'
[git_head 657d5dc] updateMirrors.sh
 2 files changed, 141 insertions(+), 2 deletions(-)
---------------------------------------------------------------------------

You can see that the error log was updated for one site. If one of those sites is hacked, it's obvious because there are new files checked in (which I can roll back once I've worked out how it happened). And whenever I or anyone else add content to any of the sites, or if I update a plugin or template, the new files are checked in.