There is a file that keeps infected with this code. I can’t figure out why. So I want to log who upload or change the file. Is there a way to log who upload or change a spesific file?
PS: There is no FTP login. We only use SSH and Plesk.
Yes, there is. The audit subsystem has some pretty neat accounting features.
Running the following command will audit changes to the file:
auditctl -w /my/specificly/modified/file.txt -p w -k "suspect file change"
This will setup a watch on this file, whenever it is modified by a write the change will be logged, and be logged quite extensively.
You can check the logs doing:
ausearch -i -k "suspect file change"
This will return output such as:
type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=1 name=/tmp/test.txt inode=5767528 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 type=PATH msg=audit(05/08/2012 17:32:32.353:13118) : item=0 name=/tmp/ inode=5767169 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 type=CWD msg=audit(05/08/2012 17:32:32.353:13118) : cwd=/home/matthew/Testbed/C/fanotify type=SYSCALL msg=audit(05/08/2012 17:32:32.353:13118) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0xb540c0 a2=0x0 a3=0x7fff50cfba20 items=2 ppid=13699 pid=2773 auid=matthew uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=rm exe=/usr/bin/rm subj=staff_u:sysadm_r:sysadm_t:s0 key=some file
If you want something stronger, you can go for something that, say watches for any deletions by a user not normally inclined to do that. For performance the more specific the rule the better..
auditctl -a exit,always -F arch=b64 -S unlink -S rmdir -F auid=78 -F dir=/var/www/vhost
The -F defines the filters and the -S defines the syscalls, the more filters the less intensive it is on the kernel to track it. So in this case I filter on the user (apache), the vhosts directory and arch. Arch becomes important b64 being 64 bit b32 for 32 bit.
You can set these up long-term by putting the rules in /etc/audit.rules.