How To Check for Infected Files Using Nagios Plugins

Published Date Author: , Posted January 25th, 2016 at 8:00:36am

This example shows how to look for infection patterns inside all .php files in a directory tree using find and grep called from a Nagios NRPE plugin written in PERL.

You can adjust the behavior by modifying the script, described at the bottom of this post in the Advanced section.

On the host to be checked, create the two files /usr/lib/nagios/plugins/check_for_infections and /usr/lib/nagios/plugins/infection.patterns using the information below.
Make sure the path location matches your specific OS requirements.



Then, on the monitored host, edit the NRPE config file, add the command below, and restart NRPE:

vim /etc/nagios/nrpe.cfg
command[check_for_infections]=/usr/lib/nagios/plugins/check_for_infections -w 1 -c 1 -d /data
service nrpe restart

Finally, update the main Nagios server services definitions file, then restart the Nagios server daemon.

This is what I added to my services.cfg:

service nagios restart

ADVANCED: The key line of the script is:
chomp(@result = /bin/grep -R -o -F -f $patternFile --include "*.php" $dir/*);
Please note that the command is looking for all items listed in the pattern file. You could make several enhancements, including the ability to pass the include filespec (currently *.php) into the script via command-line arguments.

As always, YMMV!

This is a great troubleshooting document:

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.