/wp-cron.php_通过CRON / PHP快速检测被黑客入侵的文件：SuperScan

/wp-cron.php

As a Certified Ethical Hacker, I'm fully aware that prevention is the best tactic to prevent hackers but, should one break through, the sooner you know it, the quicker you can act to limit the damage.

作为一名合格的道德黑客，我深知预防是预防黑客的最佳策略，但是，一旦突破，您就越早知道，可以越快地采取行动限制损失。

A while back, I presented a script called hashscan, designed to track site changes. Executed via a daily CRON, the script reads the files for a specified directory (e.g., an account’s public_html directory on a server), generates hashes (for files with specific file extensions), and compares them with the previous scan’s hashes stored in a database. It's a great way for site owners to be alerted to files that have been added, altered or deleted by a hacker.

不久前 ，我介绍了一个名为hashscan的脚本，该脚本旨在跟踪站点更改。该脚本通过每日CRON执行，读取指定目录(例如，服务器上帐户的public_html目录)的文件，生成哈希(针对具有特定文件扩展名的文件)，并将其与数据库中存储的先前扫描的哈希进行比较。这是向站点所有者发出被黑客添加，更改或删除的文件的警报的好方法。

In this article, I'll present an updated version of the script, called SuperScan.

在本文中，我将介绍脚本的更新版本，称为SuperScan 。

SuperScan的好处 (Benefits of SuperScan)

The primary benefit is that SuperScan will report any changes to files in an account whether the file change is an addition, alteration or deletion. SuperScan was designed not to overwhelm the webmaster. It only provides a report of changes since the last scan (the default is one hour, but can be configured via CRON) and a summary report (daily by default, although, again, it can be configured via CRON).

这样做的主要好处是，SuperScan将报告帐户中文件的任何更改，无论文件更改是添加，更改还是删除。 SuperScan旨在不压倒网站管理员。它仅提供自上次扫描以来的更改报告(默认为一小时，但可通过CRON进行配置)和摘要报告(默认为每日，尽管再次可以通过CRON进行配置)。

Because the scan of a 1500 file account takes ~0.75 seconds, SuperScan can be run frequently without affecting server performance.

由于扫描1500个文件帐户大约需要0.75秒，因此SuperScan可以频繁运行而不会影响服务器性能。

To support forensic investigation, the file last modified date and time are held in the database, along with the hash value of the most recent scan (and prior scan for altered files).

为了支持法医调查，文件的上次修改日期和时间以及最近一次扫描(以及对变更后文件的先前扫描)的哈希值都保存在数据库中。

The scanner file need not be changed, as all variables are set within a required configure script. It's in the configure script where you can select specific (or ALL) file extensions to be scanned or, if ALL, the file extensions to omit. Additionally, you may specify directories which the scanner will not scan.

不需要更改扫描程序文件，因为所有变量都在必需的配置脚本中设置。在配置脚本中，您可以在其中选择要扫描的特定(或所有)文件扩展名，或者如果要删除则选择要删除的文件扩展名。此外，您可以指定扫描仪不会扫描的目录。

While the SuperScan files can be tested within a webspace, I recommend that it be moved outside the webspace for production use via CRON to protect against casual hackers.

虽然可以在Web空间内测试SuperScan文件，但我建议将其移出Web空间以通过CRON进行生产，以防止偶然的黑客入侵。

Finally, a curious additional benefit is that changes in (extensionless) error_log files are captured and can direct the webmaster’s attention to coding problems that have slipped through the testing procedures.

最后，一个令人惊讶的额外好处是，可以捕获(无扩展名)error_log文件中的更改，这些更改可以使网站管理员将注意力转移到已通过测试程序的编码问题上。

超级扫描逻辑 (SuperScan Logic)

The logic flow of SuperScan is:

SuperScan的逻辑流程是：

Read the baseline information about the files in the database阅读有关数据库中文件的基准信息
Scan the system’s files and compute their hashes扫描系统文件并计算其哈希
Compare the baseline files against the current files to determine the changed files to generate:

将基准文件与当前文件进行比较，以确定要生成的更改文件：
- A list of added files已添加文件列表
- A list of altered files and更改文件列表和
- A list of deleted files删除文件列表
Handle each of the changed files lists (update the database)处理每个更改的文件列表(更新数据库)
Prepare and send a report (if required).准备并发送报告(如果需要)。

数据库，变量和工作数组 (Database, Variables and the Working Arrays)

Rather than bore you with the details here, I've inserted comments in all the scripts.

我没有在这里给您带来细节，而是在所有脚本中插入了注释。

Thus, in short, there are three database tables:

因此，简而言之，存在三个数据库表：

baseline: this contains the $file_path, the file’s hash and the file last modified date and time. I also added the account so multiple accounts could use a single database)

基线：包含$file_path ，文件的哈希值和文件上次修改的日期和时间。我还添加了该帐户，以便多个帐户可以使用一个数据库)
history: this records every detected change—or lack thereof—in each scan.

历史记录 ：这将记录每次扫描中检测到的每个更改(或缺少更改)。
scanned: this records scan summary date and time, as well as the number of changes and associated account.

已扫描 ：此记录扫描摘要日期和时间，以及更改的数量和关联的帐户。

Warning #1: I can’t stress enough that the $testing variable set by configure.php will trigger an immense amount of output, so it must only be used for testing and never during a CRON job!

警告＃1 ：我不太强调由configure.php设置的$testing变量将触发大量输出，因此它只能用于测试， 绝不能在CRON作业期间使用！

Warning #2: Because the path/to/file is used as a key, it must be unique. That means that multiple accounts can never scan the same files.

警告＃2 ：由于path / to / file用作键，因此它必须是唯一的。这意味着多个帐户永远无法扫描相同的文件。

Warning #3: In addition, Windows servers will use backslashes, which are immediately changed to slashes, because they cause characters to go missing in the database. Also, use of an apostrophe in a file name will cause problems with database queries.

警告＃3 ：此外，Windows服务器将使用反斜杠，因为它们会导致数据库中的字符丢失，所以反斜杠会立即更改为斜杠。同样，在文件名中使用撇号将导致数据库查询出现问题。

The working arrays are designed to make use of PHP’s functions, which access the key ($file_path; this is also the file structure iterator, so never alter $iter‐>key()).

工作数组旨在利用PHP的函数来访问密钥( $file_path ；这也是文件结构迭代器，因此请不要更改$iter‐>key() )。

$baseline is read before starting the scan, $current is the result of the scan, and the $added, $altered and $deleted arrays accumulate the changes from the $baseline and are used to update the $baseline for the next scan.

$baseline是在开始扫描之前读取的， $current是扫描的结果，并且$added ， $altered和$deleted数组会累积$baseline的更改，并用于为下一次扫描更新$baseline 。

档案 (Files)

The superscan.zip file contains 7 files:

superscan.zip文件包含7个文件：

CreateTables.sql, which can be used to setup your tables

CreateTables.sql ，可用于设置表
ReadMe.txt, which provides an overview of the SuperScan script

ReadMe.txt ，它提供了SuperScan脚本的概述
scanner.php, the scanning script that requires configure.php and scandb.php (which connects to your MySQL server and returns the $scandb handle)

scanner.php ，扫描脚本，需要configure.php和scandb.php (连接到你MySQL服务器，并返回$scandb手柄)
reporter.php, which will provide a summary of recent scans via CRON

reporter.php ，它将通过CRON提供最近扫描的摘要
CRON.txt, which provides sample CRON instructions for both scanner.php and reporter.php

CRON.txt ，它提供了两个样品CRON指令scanner.php和reporter.php

清理 (Cleanup)

The $report is created as the file changes are detected, and is stored and emailed if not a “negative report.” The summary report is used for the “warm, fuzzy feeling” when you’re not receiving change reports.

$report是在检测到文件更改时创建的，如果不是“负面报告”，则会存储并通过电子邮件发送。当您没有收到变更报告时，摘要报告用于“温暖，模糊的感觉”。

During the cleanup, history and scanned tables have records older than 30 days are auto‐purged to prevent unlimited growth of the database, the large arrays are destroyed (reset to empty) and the database is closed.

在清理期间，历史记录和扫描表中的记录超过30天会被自动清除，以防止数据库无限增长，大型阵列被销毁(重置为空)，并且数据库已关闭。

摘要 (Summary)

I believe that SuperScan is a massive improvement over my prior effort, and is a worthy upgrade. It provides frequent notice of changed files, while “negative reports” won't overwhelm the webmaster with unnecessary “Unchanged” notices.

我相信SuperScan是我之前所做的巨大改进，并且是值得升级的。它提供了频繁的文件更改通知，而“负面报告”不会因不必要的“未更改”通知而使网站管理员不知所措。

Download the SuperScan code from GitHub

从GitHub下载SuperScan代码

致谢 (Acknowledgement)

SuperScan was suggested by Han Wechgelaer (NL), who emailed the suggestion that my earlier hashscan script be extended to capture a history of the changes to an account’s files, as well as making more frequent assessments and adding a daily summary.

超级扫描是由Han Wechgelaer(NL)提出的，他通过电子邮件发送了建议，即扩展我以前的hashscan脚本以捕获帐户文件更改的历史记录，并进行更频繁的评估并添加每日摘要。

Han was kind enough to provide a copy of his start on this project and, between us, this evolved into SuperScan. Without Han’s gentle prodding and assistance, SuperScan would never have gotten off the ground and would certainly not be the exceptional tool it is today.

Han很友善地提供了该项目的开始副本，在我们之间，这演变成SuperScan。 没有Han的轻柔的推动和协助，SuperScan永远不会起步，并且肯定不会成为当今的出色工具。

I'd love to know how you find this script, or if you have any questions about it or feedback.

我很想知道您如何找到此脚本，或者是否对它有任何疑问或反馈。

翻译自: https://www.sitepoint.com/quickly-detect-hacked-files-via-cronphp-superscan/

/wp-cron.php