PHPFileMon – A simple PHP based file monitoring system

File monitor
File monitor

WHAT IS IT?

File monitor
File monitor

What led us to the creation of PHPFileMon was finding a simple way of monitoring if any file on a website had been altered or changed. This can be mainly used as a  notification tool for security purposes in case someone hacks into the website and plants extra code or malicious code in one of the files/pages physically. This can also be used as a notification system, every time someone uploads or does authorized changes to the files on the website. There could be other uses for it also. What PHPfilemon does is detect changes and send notifications so it can be applied to any number of things.

There are lot of defacement and change scanners available both commercial and open source like TripWire etc. but we wanted something simple which could be used on any shared hosts without having to install something on the server.

HOW IT WORKS

The working is quite simple. These are the following files involved:

  1. files.dat – this is the source file respository which defines which paths/files need to be monitored.
  2. phpfilemon.dat – this is an xml file which is created once the updater is run.
  3. semaphore.dat – this acts like a simplistic semaphore to prevent the scanner and updater from running at the same time
  4. updater.php – runs through all the files in files.dat and creates phpfilemon.dat
  5. scanner.php – processes phpfilemon.dat to detect changes and sends notification mails

The updater stores the latest file dates and times of each file in files.dat , in phpfilemon.dat . The scanner compares the current file date/time for each file in files.dat and compares it to the stored file date/time for the file in phpfilemon.dat . If there is a difference then it flags it as a changed file.

THE SOURCE FILE REPOSITORY

The source file repository files.dat takes in a single path per row:

../*.php
../classes/*.php

/var/websites/thissite/thisfile.txt

../includes/*.*

As shown above you can put relative paths or absolute paths, with or without wildcard characters. This file has to be created by hand as every website would have different files to be monitored. Paths specified here are NOT recursive. So if a folder has subfolders, then each of those subfolders also need to be entered separately.

THE XML REPOSITORY

PHPmonlist.dat is an xml file created by the updater when it runs. It has a very simple structure. It stores the full filepath and the datetime it was created. :

<?xml version=”1.0″ encoding=”UTF-8″?>
<files>
<file name=”../ExpenseBook/add_entry.php” date=”1344685028″/>
<file name=”../ExpenseBook/contactUs.php” date=”1343068892″/>
</files>

THE UPDATER

updater.php will run through files.dat and get the file datetime of each file mentioned If it finds a wildcard entry it will expand it first to get all the files matching that wildcard. The PHPmonlist.dat thus created will contain the entries of individual files.

THE SCANNER

scanner.php will run and compare the datetimes of each file in phpmonlist.dat and compare it with its current datetime. If there is a difference it stores in a notification list and then sends the list as a mail.

THE SEMAPHORE FILE

The semaphore.dat can have three states. The three states are stored as a simple string:

  1. Idle  – neither scanner not updater is running
  2. Updating – updater is running
  3. Scanning – scanner is running

The updater and scanner both check the status of the semaphore before running. If the status is not idle they terminate without doing any work. Once work is completed,. the status is set back to Idle

HOW TO MAKE ALL THIS WORK

First put all the files in a folder in your website. Make sure the folder has write permissions since phpmonlist.dat will need to be updated periodically by updater.php

In scanner.php you need to add in your own code to send the actual notification mail . There is space and comments left for it at the end of scanner.php. You can still run scanner.php without the mail part – it will display the files which have changed.

Once you have specified the files and paths in files.dat, run updater.php. Then you can run scanner.php any number of times to detect changes. Ideally you should put scanner.php in a cron job to run periodically and send auto-notification for changes.

FALSE ALARMS

The current code will send a false alarm if you make changes or upload changes to files on your webserver and the scanner runs automatically after that. Preferably you should run updater once after you make any changes to the file, so that scanner does not trigger a false alarm.

This part has been kept open-ended as there are multiple ways of handling false alarms. One way would be to have a fourth status for the semaphore called DISABLE which would prevent the scanner from running. This status would get reset again by running updater the next time.

DOWNLOAD

The complete source can be downloaded here and you are free to change or use it any application. We just request you to keep the copyright message in the files.

There is a lot of scope for improvement and added features, and we welcome any suggestions, bugs or feedback on this.

3 Comments

  1. thank you for making this available. looks like it’s almost what I need. This seems to be the only true way of knowing if your site is hacked.

    Need to add an option for monitoring directories as well, but i’ll look into that and mail you.

    • @bfauster Most likely there are too many files in a particular folder and PHP is running out of memory trying to load the list. Can you see where in the code this exception is thrown?

Leave a Reply to amit Cancel reply

Your email address will not be published.


*