How to use inotifywait to monitor specific file directories and operate on files with specific suffixes, such as deletion.

websites always have backdoor files generated with the suffix .php. Because no more .php files will be added to the site, think of using inotifywait to recursively monitor the entire site directory, find the newly created php file, and then delete it. In this way, as long as a backdoor file is created, it will be deleted immediately.
since I am not in operation and maintenance, I hope there is a boss who can help me. Currently, only newly created files are listed in one file.

Inotify-tools bash linux

May.31,2022

currently, you can only monitor characteristic file types:

-sharp!/bin/sh

/usr/bin/inotifywait -drq --timefmt '%d/%m/%y %H:%M' \ 
--format '%T %w %f %e' -o /alidata1/monitor.log  \ 
-e create,move,delete,modify  \
--excludei '.*/*\.html|.*/*\.css|.*/*\.js|.*/*\.txt|.*/*\.bak|.*/*\.jpg|.*/*\.png|.*/*\.gif|.*/*\.jpeg|.*/*\.htm|.*/*\.inc' \
/alidata1/web

like this, you can filter the monitoring of those suffix files.

this is very simple

the inotify background process monitors the specified directory in real time.
receives the add file operation to check if it is a php suffix (this point should be detected not just by the suffix).
if it is a backdoor, delete it, otherwise you can give up, or record to a file and other operations.

< H1 > are there any difficulties here? < / H1 >

Previous: After json_encode, "\ n" becomes "\\ n".

Next: The data returned to the front end comes from multiple microservices. Where should the data be integrated and returned?