Execute a script once a file uploaded to directory

Hello guys,

I would like to execute the below script once a file is uploaded to directory:

#!/bin/sh
  
log=/var/log/apache2/access.log
words=/root/Scripts/Misc/blockScanners/forbiddenWords.txt
banned=/root/Scripts/Misc/blockScanners/ips.log
adminemail="MYEMAIL"

tail -F "$log" |\
        grep --line-buffered -Ff "$words" |\
        while read -r ip junk; do
        #while read -r ip; do
                grep -qxF "$ip" "$banned" || (
                iptables -A INPUT -s "$ip" -j DROP
                echo `pwd`\n Banned IP "$ip" on: `date` "$log" | grep "$ip" | mail -s "New banned IP: `date`" "$adminemail"
                echo "$ip" >> "$banned"
                )
        done

# Send report with access by Response Codes
RESPONSE=$( cat "$log" | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn )
echo Responses Codes "$RESPONSE" on: `date` | mail -s "Responses Codes: `date`" "$adminemail"

Thanks in advance

Have you considered inotifywait(1) provided by the inotify-tools package on some distributions, this can run your script whenever a file appears in specified directories eg:

inotifywait -m /your/upload/file/path -e create -e moved_to |
    while read dir action file
    do
        # run your script passing the directory, filename and action
        /usr/local/bin/yourscript $dir $file $action
    done
2 Likes

Thanks for reply and sorry for the delay.

I did a simple script to monitor after installing inotify-tools, and place it in cron:

@reboot /root/shellDetector/shellDetect.sh

With grep:

ps -eaf | grep shellDetect.sh | grep -v grep

The script in not running on boot

#!/bin/sh
inotifywait -m /home/uvid/www/Uploads -e create -e moved_to |
            while read -r dir action file; do
                            echo "The file '$file' appeared in directory '$dir' via '$action'"
                                    # do something with the file
           done

Did cron log the script's start? Add some logging to your script, so you know that it started, and why and when it exited, either to syslog, or a individual log file.

Well I added this to the cron, rebooted then the cron log is created but empty:

@reboot /root/shellDetector/shellDetect.sh >> /root/shellDetector/error.log

Add logging to your script!

Anything in the system logs, along this line?

Apr  2 14:17:02 UsersPC19 CRON[10758]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

Possibly an error message? What user is this run under?

Well I checked the syslog, there is a red line on that specific script:

Apr  2 16:36:09 SERVER CRON[1151]: (root) CMD (/root/shellDetector/shellDetect.sh >> /root/shellDetector/error.log)

Good news, no?

What about my other proposals?

The script is running under root, I don't think it is running and executing at all

A issue I see a lot with cron is that the environment is not set as it is during a normal login. Particularly the PATH environment variable.

With your particular script I'm guessing that inotifywait is not being found. You could either set PATH at the top of your script or fully qualify the command like this /usr/bin/inotifywait .

@Chubler_XL: I dit not use inotify yet, I am just testing if script is running on reboot, so I can use inotify to watch the directory

What is the contents of the script then?

Here you go

#!/bin/sh

# Some vars here

# Dangerous files, extensions and shells
SHELLDETECT=$( find /home/uvid/www/Uploads/ -type f \( -iname "1.*" -o -iname "*eicar*" -o -iname "*.php" -o -iname "*.pl" -o -iname "*.txt" -o -iname "*.py" -o -iname "*.c" -o -iname "*.deb" -o -iname "*.zip" -o -iname "*.tar" -o -iname "*.gz" -o -iname "*.tar.gz" -o -iname "*.js" -o -iname "*.vbs" -o -iname "*.exe" -o -iname "*.asp" -o -iname "*.jsp" -o -iname "*.cgi" -o -iname "c100*" -o -iname "c99*" -o -iname "cmd*" -o -iname "webadmin*" -o -iname "r57*" -o -iname "*shell*" -o -iname "*angel*" -o -iname "*b374k*" -o -iname "*bv7binary*" -o -iname "*webroot*" -o -iname "*kacak*" -o -iname "*symlink*" -o -iname "*h4cker*" -o -iname "*gazashell*" -o -iname "*locus7shell*" -o -iname "*syrianshell*" -o -iname "*injection*" -o -iname "*cyberwarrior*" -o -iname "*ernebypass*" -o -iname "*g6shell*" -o -iname "*pouyaserver*" -o -iname "*saudishell*" -o -iname "*simattacker*" -o -iname "*sosyeteshell*" -o -iname "*tryagshell*" -o -iname "*uploadshell*" -o -iname "*wsoshell*" -o -iname "*weevely*" -o -iname "*zehir4shell*" -o -iname "*lostdcshell*" -o -iname "*commandshell*" -o -iname "*mailershell*" -o -iname "*cwshell*" -o -iname "*iranshell*" -o -iname "*indishell*" -o -iname "**g6sshell" -o -iname "*sqlshell*" -o -iname "*simshell*" -o -iname "*tryagshell*" -o -iname "*zehirshell*" -o -iname "*unknown*" -o -iname "*k2ll33d*" -o -iname "*b1n4ry*" \) )

if [[ $? == "0" ]]
then
echo "$SHELLDETECT" | mail -s "Shell bad extensions $TODAY" "$EMAIL"
fi


# Find large strings, more than 100 chars
largeStrings=$( find /home/immo/uvid/Uploads/ -type f -exec grep -Eq '.{100}' {} \; -exec ls -l {} + )

if [[ $? == "0" ]]
then
echo "$largeStrings" | mail -s "Large strings $TODAY" "$EMAIL"
fi


# Find files that was modified or created in last 24 hours
# -1 the last 24 hours
# -0.5 the last 12 hours
# -0.25 the last 6 hours
# +3 more than three days
# 0 Files modified between now and 1 day ago
     # (i.e., within the past 24 hours)
# 1 Files modified between 24 and 48 hours ago
# +1 Files modified more than 48 hours ago
modifFiles=$( find '/home/immo/uvid/Uploads/' -mtime 0 -ls )

if [[ $? == "0" ]]
then    
	echo "$modifFiles" | mail -s "Modified files $TODAY" "$EMAIL"
fi

Try setting PATH to a reasonable value at the top of that script. Cron does not execute /etc/profile or other login scripts so PATH is likely to be unset then the script is failing to find external commands like find and mail .

Follow ChublerXL advice. Use a less complex script, one or two lines, echo es; redirect stderr, too. Post the log files.

2 Likes

Well I modified the code replacing:

mail
find

with

/usr/bin/mail
/usr/bin/find

I checked if the script is running on startup:

ps -eaf | grep shellDetect.sh | grep -v grep

BUT it is not running

The cron log is with RED background color

Apr  3 14:41:39 ns366860 CRON[1013]: (root) CMD (/root/Scripts/Misc/shellDetect.sh >> /root/Scripts/Misc/error.log)

I place this code with inotify:

#!/bin/sh
inotifywait -m /home/uvid/www/Uploads -e create -e moved_to |
            while read -r dir action file; do
                            echo "The file '$file' appeared in directory '$dir' via '$action'"
                            sh /root/Scripts/Misc/shellDetect.sh
        echo "Hello new file is here | /usr/bin/mail -s "new file" EMAIL
                                        done