One of the things that we do daily on the websites that we fully manage is check which files were changed in the past 48 hours. Doing this helps us catch files that were maliciously modified, it also helps us check whether the client’s employees have uploaded files that they shouldn’t have uploaded, or have uploaded files to the wrong folder.
So, how do we do that?
There are several ways to do that, but we prefer to do this through root shell access. So, we ssh to the server, and then we run the following command:
find /home/user/public_html -path '/home/user/public_html/cache/*' -prune -o -mtime -2 -ls > changed.txt
The above command will dump the list of modified files within the past 48 hours in the changed.txt file under the /home/user/public_html (it excludes files created under the cache folder). Once we run the above command, we then check each and every created and modified file. For example, if we see that a PHP file was created or modified, we check that PHP file immediately: PHP files should never be modified, and they should only be created when a new extension is installed, other than that any modification/creation of a PHP file is most likely malicious.
If we see that a new image file was created, we check if it was created under the right directory (we ensure that images are evenly distributed under the images folder).
How to exclude certain file types from being included in the list of changed files?
Many Joomla website owners don’t care about the organization of the image files the way we do, so they might not be interested in knowing which images files were changed, in that case, they can run the following command to generate a list of changed files, but excluding image/PDF files:
find /home/user/public_html -path '/home/user/public_html/cache/*' -prune -o -mtime -2 -ls | grep -vE '(.jpg|.png|.gif|pdf)' > changed.txt
The above command generates a list of all the files created/changed within past 48 hours with the exception of image files and PDF files.
But, what if you want to get a list of changed files that were modified in the past week?
Some Joomla administrators run weekly checks on their Joomla websites (they don’t have time to run daily checks), so they might want to go with 7 days instead of 48 hours. In that case, all they need to do is change 2 in the above code to 7.
The above is one of the many checks we run daily on the Joomla websites that we fully manage. If you want us to fully manage your website, please contact us. Our fees are affordable, our work is professional, and we will proactively ensure that your website is clean!