Spot Hackers

Find the most common way of hacking and be notified by email/pager around the clock. Most hackers use /tmp to hack linux servers by writing some file in /tmp directory and call it remotely to play around in your server. If you are offering shared-hosting or web hosting services on your server, then you are making this much easier for hackers to find access to your /tmp directory. There are many ways of closing or limiting their access to this directory such as running PHP with suEXEC Support. I assume you already know all of those and you have a very secure /tmp directory. However, often hackers find newer ways of accessing this directory. Therefore, it is necessary to check this directory often to make sure nothing is going on without you knowing it. Following script was written to check /tmp directory or any other directory and notify the admin if any un-authorized file exists. To keep this example simple, we are looking into each file and look for different keywords such as "perl". Keep in mind that this script can only detect files with source, not executables. This is still very useful as most hackers use wget method to write something into this directory. You could setup a cron-job to run this every few minutes and have it email you as soon as it finds something. Script will also create a log file of what it finds.