Toni Defender

File Monitoring
Monitor Directory for Changes
inotifywait -m -r -e modify,create,delete,open /home/logiceverything/example/
Audit Rules Management
Add Audit Rule
auditctl -w /var/www/html -p wa -k web_files

Remove Specific Audit Rule
auditctl -W /var/www/html -k web_files

Remove All Audit Rules
auditctl -D

List Current Audit Rules
auditctl -l

Audit Logs and Decoding
Search Audit Logs by Key
ausearch -k passwd_changes
Hexadecimal Operations
Decode Encoded Proctitle from Hex
echo "2F7573722F7362696E2F6874747064002D6B007374617274" | xxd -r -p
chattr Commands (File Attribute Control)
Manage File Immutable Attribute
chattr +i filename to make a file immutable; chattr -i filename to remove the immutable attribute.

List File Attributes
lsattr

Custom Shell Functions (from .bash_helpers)
Find Recently Modified Web Files
findweb /home/logiceverything/example/ [days]
Example:
findweb /home/logiceverything/example/ 2

Find Recently Modified Web Files in Minutes
findwebmin /home/logiceverything/example/ [minutes]
Example:
findwebmin /home/logiceverything/example/ 60

Rename Suspicious Files
rnsus [file_list.txt]
Example:
rnsus suspicious_files.txt

List Suspicious Files
lssus /home/logiceverything/example/
Example:
lssus /home/logiceverything/example/

Quarantine Files
quarantine [file_list.txt]
Example:
quarantine suspicious_files.txt

Commands for Identifying and Removing Code Injections
Find Files Modified in a Specific Timeframe
Use find /home/logiceverything/example/ -type f -mtime [days] for days, or -mmin [minutes] for minutes.
Examples:
Find files modified in the last 2 days:
find /home/logiceverything/example/ -type f -mtime -2
Find files modified in the last 180 minutes:
find /home/logiceverything/example/ -type f -mmin -180
Find files modified in the last hour:
find /home/logiceverything/example/ -type f -mmin -60
Find files modified exactly 7 days ago:
find /home/logiceverything/example/ -type f -mtime 7

Find Specific File Types Modified in the Last 2 Days
Find .php, .css, and .js files modified in the last 2 days:
find /home/logiceverything/example/ -type f ( -name ".php" -o -name ".css" -o -name "*.js" ) -mtime -2

Search for Suspicious Patterns in Files
Use grep to search for specific patterns across files:
Example to search for eval(:
grep -r "eval(" /home/logiceverything/example/
Example to search for base64_decode(:
grep -r "base64_decode(" /home/logiceverything/example/

Find and Quarantine All .htaccess Files
Find and move all .htaccess files to a quarantine directory:
find /home/logiceverything/example/ -type f -name ".htaccess" -exec mv {} /home/logiceverything/example/quarantine/ \;

Notes
The custom shell functions (findweb, findwebmin, rnsus, lssus, quarantine) should be defined in your .bash_helpers file and sourced in your .bashrc to be available in your shell sessions.