: How can I monitor a website for malicious changes to the files I had an occasion recently where our website was compromised - a link farm was added to a couple of the pages on one occasion,
I had an occasion recently where our website was compromised - a link farm was added to a couple of the pages on one occasion, and on another occasion, a large and nasty aspx file was put on the server. I won't mention the host's name (Hostway), but I was pretty annoyed that someone was able to do this. No, it wasn't a leaky password - around 10 sites hosted by HW with consecutive IP addresses got trashed.
Anyway. What I need is a utility or service (preferably free) that takes a snapshot of my websites contents, and then regularly monitors the files (size and datestamp) for unauthorized changes or additions, and alerts me. I've used web services that monitor one file for changes, but I'm looking for something a bit more aggressive.
More posts by @Welton855
4 Comments
Sorted by latest first Latest Oldest Best
One of our sites was recently hacked and we didn't notice for a while, because nothing was broken, until we became aware of our site appearing with spammy words in Google searches. Since our site was using git, I came up with a quick and dirty solution for monitoring the site for unauthorised file changes using the git diff command.
It is a bash script (but is simple enough to be modified into a batch script for Windows environments) that runs periodically via something like cron.
#!/bin/bash
# change the following two params,
# set up a cron job and there you go!
email="bob@mail.com"
site="your site"
cd "$(dirname "[CO]")"
if [ ! -f snitch.log ]; then
touch snitch.log
fi
# if git diff finds a difference between
# HEAD and what we have now, snitch!
if [[ -n $(git diff --name-only HEAD) ]]; then
git diff --name-only HEAD > snitchtemp.log
if [[ -n $(diff snitch.log snitchtemp.log) ]]; then
git diff --name-only HEAD > snitch.log
cat snitch.log | mail -s "snitch@$site" "$email"
fi
else
echo "OK"
fi
What it does is very simple. On every invocation it uses git diff to see if any files have been modified since the last commit, and if so sends an email with the list of files that have been tampered. To avoid sending the same email over and over again until you pay attention, it saves the list of files that were tampered with the last time it ran and checks against that to see if the list of files have changed, in which case it can send another email.
Note that git diff will only list modified files that git is tracking, so if the intruder creates brand new files, they won't be caught. However since they would need to tamper with at least one existing file to create the brand new file in the first place, this script should be fine.
Two tools that run on windows might work for you md5deep and AFICK - another file integrity checker. The allow the auditing and also become aware of new files.
AFAICK there is now web interface for them but you might want to send you the report via E-Mail right from the moment the tools flag a warning anyway.
We've been using this, Monitor Hacked Files, which is a PHP script that you install on the server. It notifies you if there are any changes to your site -- sending an email with a list of changed files. This at least tells you where to look. Definitely better than Google or clients finding out before you do!
You could set up a Google Alert to search your site for probable junk. For example, you might have the alert search for "viagra site:example.com". Google alerts will email you if it ever finds the target of your search.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.