md5 monitoring

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/perl
#use Term::ANSIColor;
use Net::SMTP;
use Digest::MD5;
use strict;
#----------------------------------------------------
my $db_file='/etc/scripts/md5/summ.db'; # file with md5 original checksum table
my $clamscan='/usr/bin/clamscan'; # path to clamscan
my $clamscan_check=1; # enable clamscan check if md5 checksum invalid
my $smtp_host='my-smtp-host1'; # SMTP host for alert
my $send_alert=1; # send alert (1 - yes, 0 - no)
# if 1 - all alerts can be send to email
# if 0 - all alerts can be output to STDOUT (./md5.pl -v)
my $alert_mail='toalert@domains.org'; # alerts recipient email
my $alert_from='md@domains.org'; # alerts sender email
#----------------------------------------------------
($ARGV[0] eq '-v')&&($send_alert=0);
my @db;
open FILE, $db_file || die $!;
@db=<FILE>;
close FILE;
if ($send_alert==1) {unlink ('/tmp/mdfive.tmp');open (STDOUT,">>/tmp/mdfive.tmp")}
foreach my $db_item (@db)
{
if ($db_item=~/^\#+/) {next}
my $status;my $infected;
my ($md5,$file,$name)=split /\|/,$db_item;
open(FILE, $file) or die "Can't open $file $!";
binmode(FILE);
my $cur_md5=Digest::MD5->new->addfile(*FILE)->hexdigest;
close FILE;
($cur_md5 ne $md5)&&($status='* MODIFED *')||($status='OK');
format CLAMSCAN=
ClamAV scan: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$file
Result: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$infected
.
format STDOUT_TOP=
==================================================================================
Original MD5 | Current MD5 | Status
==================================================================================
.
format STDOUT=
^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$file
^||||||||||||||||||||||||||||||| | ^||||||||||||||||||||||||||||||| |^||||||||||||
$md5,$cur_md5,$status
----------------------------------------------------------------------------------
.
if (($status ne 'OK') && ($clamscan_check==1))
{
my $out=$clamscan.' -i --heuristic-scan-precedence=yes --stdout '.$file.' 2>&1';
$out=qx#$out#;
if ($out=~/Infected files: (\d{1})/)
{
if ($1==0) {$infected='clean'} else {$infected='INFECT'}
}
select (CLAMSCAN);
write(CLAMSCAN);
select (STDOUT);
write(STDOUT);
}
else
{
select (STDOUT);
write(STDOUT);
}
}
close STDOUT if ($send_alert==1);
if ($send_alert==1)
{
my $message;
open TMP, '</tmp/mdfive.tmp' || die 'fucking shit: '.$!;
while (<TMP>)
{
$message.=$_;
}
close TMP;
if ($message=~/MODIFED/m) {alert_send ($message)};
unlink '/tmp/mdfive.tmp';
}
sub alert_send{
my $message=shift;
my $smtp = Net::SMTP->new($smtp_host, Timeout => 60);
$smtp->mail($alert_from);
$smtp->to($alert_mail);
$smtp->data();
$smtp->datasend("To: $alert_mail\n");
$smtp->datasend("Subject: MD5 checksum is modifed\n");
$smtp->datasend("\n");
$smtp->datasend($message."\n");
$smtp->dataend();
$smtp->quit;
}