File Monitoring

• Monitor Directory for Changes
  inotifywait -m -r -e modify,create,delete,open ./

Audit Rules Management

• Add Audit Rule
  auditctl -w ./ -p wa -k web_files

• Remove Specific Audit Rule
  auditctl -W ./ -k web_files

• Remove All Audit Rules
  auditctl -D

• List Current Audit Rules
  auditctl -l

Audit Logs and Decoding

• Search Audit Logs by Key
  ausearch -k passwd_changes

Hexadecimal Operations

• Decode Encoded Proctitle from Hex
  echo "2F7573722F7362696E2F6874747064002D6B007374617274" | xxd -r -p

chattr Commands (File Attribute Control)

• Manage File Immutable Attribute
  chattr +i filename to make a file immutable; chattr -i filename to remove the immutable attribute.

• List File Attributes
  lsattr

Custom Shell Functions (from .bash_helpers)

• Find Recently Modified Web Files
  findweb ./ [days]
  Example:
  findweb ./ 2

• Find Recently Modified Web Files in Minutes
  findwebmin ./ [minutes]
  Example:
  findwebmin ./ 60

• Rename Suspicious Files
  rnsus [file_list.txt]
  Example:
  rnsus suspicious_files.txt

• List Suspicious Files
  lssus ./
  Example:
  lssus ./

• Quarantine Files
  quarantine [file_list.txt]
  Example:
  quarantine suspicious_files.txt

Commands for Identifying and Removing Code Injections

• Find Files Modified in a Specific Timeframe
  Use find ./ -type f -mtime [days] for days, or -mmin [minutes] for minutes.
  Examples:
  Find files modified in the last 2 days:
  find ./ -type f -mtime -2
  Find files modified in the last 180 minutes:
  find ./ -type f -mmin -180
  Find files modified in the last hour:
  find ./ -type f -mmin -60
  Find files modified exactly 7 days ago:
  find ./ -type f -mtime 7

• Find Specific File Types Modified in the Last 2 Days
  Find .php, .css, and .js files modified in the last 2 days:
  *find ./ -type f ( -name ".php" -o -name ".css" -o -name ".js" ) -mtime -2**

• Search for Suspicious Patterns in Files
  Use grep to search for specific patterns across files:
  Example to search for eval(:
  grep -r "eval(" ./
  Example to search for base64_decode(:
  grep -r "base64_decode(" ./

• Find and Quarantine All .htaccess Files
  Find and move all .htaccess files to a quarantine directory:
  find ./ -type f -name ".htaccess" -exec mv {} ./quarantine/ \;

Notes

The custom shell functions (findweb, findwebmin, rnsus, lssus, quarantine) should be defined in your .bash_helpers file and sourced in your .bashrc to be available in your shell sessions.