Bash script to detect suspicious new and changed files last 3 hours. Skips cache directories.

newfiles

#!/bin/sh

# newfiles
# Detects new and changed php and html files last xxx minutes

# (C) 2014 Rene Kreijveld, enail [at] renekreijveld [dot] nl
# Update 31-12-2013: only send email when changes are found
# Update 04-02-2014: check for new files last three hours
# Update 05-05-2014: check for new html files also
# Update 07-05-2014: filter out ju_chached and DirectAdmin stats folders in html files
# Update 04-06-2014: added DURATION, SUBJECT_PREFIX, SCRIPT_FULLNAME and SENDNOTFOUND variables.
#                    added option to send email of nothing found
#                    All these improvements by Christophe Avonture
# Update 08-09-2016: Add more file types and delete not relevant filters

# Save this file as /usr/local/sbin/newfiles
# Modify the EMAIL variable to reflect your email address.
# Modify the HOMEDIR and TMPDIR variables to your needs.
#
# Then add to your local cron to run every 3 hours:
# 5 0,3,6,9,12,15,18,21 * * * /usr/local/sbin/newfiles

# Setup variables
SERVER="`hostname`"
EMAIL="you@yourmail.com"
TMPDIR=/tmp
EMAILMSG="$TMPDIR/new_changed.txt"
CHANGES="$TMPDIR/new_changes.txt"
HOMEDIR=/home
# 180 minutes -> find any files that have been changed during the last 3 hours
DURATION=180
# Extra subject prefix for the email message
SUBJECT_PREFIX="File monitoring agent - server $SERVER - `date` "
# Retrieve the name of this script
SCRIPT_FULLNAME=$(cd `dirname "${BASH_SOURCE[0]}"` && pwd)/`basename "${BASH_SOURCE[0]}"`
# Send email if no new files were found? Enter value "yes" or "no"
SENDNOTFOUND=no

# Find mail client
if [ -s /bin/mail ]; then
	MAIL=/bin/mail
elif [ -s /usr/bin/mail ]; then
	MAIL=/usr/bin/mail
fi

# Find all changed .php files last 3 hours, skip files with "cache" and  "php-mail" in filename
find $HOMEDIR -type f -mmin -$DURATION -iname "*.php" -exec ls -l {} \; > $CHANGES
# Find all changed .html files last 3 hours
find $HOMEDIR -type f -mmin -$DURATION -iname "*.html" -exec ls -l {} \; | grep -v cache >> $CHANGES
# Find all changed .css files last 3 hours
find $HOMEDIR -type f -mmin -$DURATION -iname "*.css" -exec ls -l {} \; | grep -v cache >> $CHANGES
# Find all changed .js files last 3 hours
find $HOMEDIR -type f -mmin -$DURATION -iname "*.js" -exec ls -l {} \; | grep -v cache >> $CHANGES
# Find all changed .sh files last 3 hours
find $HOMEDIR -type f -mmin -$DURATION -iname "*.sh" -exec ls -l {} \; >> $CHANGES
# Find all changed .php files last 3 hours in the temp directory
find $TMPDIR -type f -mmin -$DURATION -iname "*.php" -exec ls -l {} \; >> $CHANGES
# Only if changes are found, send email
if [ -s $CHANGES ]; then
	echo "$SUBJECT_PREFIX" > $EMAILMSG
	echo "New and changed files last 3 hours server $SERVER" >> $EMAILMSG
	echo "================================================================================" >> $EMAILMSG
	cat $CHANGES >> $EMAILMSG
	$MAIL -s "New/changed files on $SERVER" "$EMAIL" < $EMAILMSG
else
	if [ $SENDNOTFOUND == "yes" ]; then
		echo "$SUBJECT_PREFIX" > $EMAILMSG
		echo "No changes found during the last $DURATION minutes" >> $EMAILMSG
		echo "List generated by $SCRIPT_FULLNAME" >> $EMAILMSG
		cat $EMAILMSG
		$MAIL -s "$SUBJECT_PREFIX - No changes found" "$EMAIL" < $EMAILMSG
	fi
fi
# Cleanup temporary files
rm -f $EMAILMSG $CHANGES