, thank you for your suggestion. I can see that the information would sometimes be useful, but to make it a built-in feature would make this already complicated script even harder to use.
Finding files modified within a range of dates/times could be quite useful (and I'll deal with it below), but it's not directly related to whether the files actually do contain suspicious snippets, which would already be caught by the searches that the script currently does.
Excluding files that you have already edited isn't necessarily as safe as it sounds, because the files could have been re-hacked since you edited them. If they're really clean, they shouldn't be listed in a new suspicious snippets search (except for any false positives), so they shouldn't have to be excluded.
But it is possible to add file timestamp checking into the PHP code. One place you could do it is in the BuildFileList() function, to make a file be either excluded or included based on its timestamp. Or you could create a whole new section of the script that first uses the current BuildFileList() to build the file list normally, and then output a report based on the timestamps of the files.
Although I don't want to add the feature to the default version of the script, I have created the following example code that shows usage of the key PHP functions that you'd probably need for adding a timestamp checking feature to your copy of the script. This code outputs a message if the file's timestamp falls within the "suspicious" range:
# You must either set this explicitly or endure PHP warnings about it.
# Make sure the timezone you specify IS the one the server is using for file timestamps.
# Use exactly this format for your timestamps because
# it is the same format used below in the date() function.
$TimeRangeStart = "2012-04-01 05:00:00";
$TimeRangeEnd = "2012-04-06 19:30:00";
# You'd normally get the filename from a list...
$filename = 'test.php';
$lastmod = date("Y-m-d H:i:s", filemtime($filename));
if(($lastmod >= $TimeRangeStart) && ($lastmod <= $TimeRangeEnd))
echo "Suspicious timestamp: $lastmod " . realpath($filename) . "\n";
# AN ALTERNATIVE, FILENAME ONLY.
#echo "Suspicious timestamp: $lastmod $filename\n";
# OR, IF IT IS FOR OUTPUT ON WEB PAGE, CLEAN AND COLORIZE THE TEXT:
#echo CleanColorText("Suspicious timestamp: $lastmod ", 'red') . CleanColorText(realpath($filename), 'black');
On a linux server, it's also possible to use linux commands directly to find files modified within a certain time range, and it's possible to use PHP to launch those commands and display the result. The key is the linux "find
" command, described in detail at http://linux.die.net/man/1/find
This is an example of some prototype code, but I can't really recommend using find
or using PHP shell_exec
unless you're comfortable with them already. Nonetheless, it is an available method for those who want to do some exploring, studying, and experimenting:
# FIND REGULAR FILES MODIFIED WITHIN THE PAST 10 DAYS
$cmd = 'find ./ -type f -mtime -10';
$result = shell_exec($cmd);
# CLEAN RESULT FOR OUTPUT ON WEB PAGE
$echo htmlentities($result, ENT_QUOTES);