T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/monitor_htaccess.php
<?php
/**
 * Monitor .htaccess files for unauthorized modifications
 * Run this via cron every 5 minutes
 */

$log_file = __DIR__ . '/logs/htaccess_monitor.log';
$alert_file = __DIR__ . '/logs/htaccess_alerts.log';

// Ensure log directory exists
if (!is_dir(__DIR__ . '/logs')) {
    mkdir(__DIR__ . '/logs', 0755, true);
}

// Known malicious patterns
$malicious_patterns = [
    'about\.php.*Allow from all',
    'radio\.php.*Allow from all',
    'RequireAll.*Require all denied', // If it blocks everything
    'function h\(', // Malicious function in index.php
    'base64_decode.*rakuten',
    '51la\.zvo2\.xyz',
];

// Critical files to monitor
$critical_files = [
    __DIR__ . '/.htaccess',
    __DIR__ . '/index.php',
    __DIR__ . '/auth/.htaccess',
    __DIR__ . '/utils/.htaccess',
    __DIR__ . '/445367/.htaccess',
];

$alerts = [];

foreach ($critical_files as $file) {
    if (!file_exists($file)) {
        continue;
    }
    
    $content = file_get_contents($file);
    $modified = filemtime($file);
    
    // Check for malicious patterns
    foreach ($malicious_patterns as $pattern) {
        if (preg_match("/$pattern/i", $content)) {
            $alerts[] = [
                'file' => $file,
                'pattern' => $pattern,
                'modified' => date('Y-m-d H:i:s', $modified),
                'severity' => 'CRITICAL'
            ];
        }
    }
    
    // Check if file was modified in last 5 minutes (unexpected changes)
    if (time() - $modified < 300) {
        $alerts[] = [
            'file' => $file,
            'issue' => 'File modified in last 5 minutes',
            'modified' => date('Y-m-d H:i:s', $modified),
            'severity' => 'WARNING'
        ];
    }
}

// Log results
$log_entry = date('Y-m-d H:i:s') . " - Checked " . count($critical_files) . " files\n";
file_put_contents($log_file, $log_entry, FILE_APPEND);

if (!empty($alerts)) {
    $alert_entry = date('Y-m-d H:i:s') . " - ALERTS DETECTED:\n";
    foreach ($alerts as $alert) {
        $alert_entry .= "  " . json_encode($alert) . "\n";
    }
    $alert_entry .= "\n";
    file_put_contents($alert_file, $alert_entry, FILE_APPEND);
    
    // Also log to error log
    error_log("HTACCESS MONITOR ALERT: " . json_encode($alerts));
    
    echo "ALERTS DETECTED!\n";
    print_r($alerts);
    exit(1);
} else {
    echo "All files clean.\n";
    exit(0);
}

CasperSecurity Mini