free script to monitor your website files

Discussion in 'Security' started by aRo`, Apr 6, 2008.

0
  1. #1
    A while ago, i was hacked on one of my shared hosting accounts. The hacker added some hidden spammy viagra links in the footer templates of my sites.

    Since you don't have ANY logfiles available on most shared hosting accounts, it was almost impossible to find out how the hacker got in.

    I decided to write a cronjob script, so i'm at least notified when i'm hacked again.

    You can find the phphackchecker script at my blog.
     
    aRo`, Apr 6, 2008 IP
  2. SSANZ

    SSANZ Peon

    Messages:
    861
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Seriously if your shared host didn't have any logs of how you got hacked - They don't know what they are doing.
     
    SSANZ, Apr 6, 2008 IP
  3. aRo`

    aRo` Peon

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    i know, that's why i left them.

    But a lot of hosting companies don't offer raw log files to their users.
     
    aRo`, Apr 6, 2008 IP
  4. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Because there's always more than one way to do anything in Unix, here's another way... put this in your crontab:

    5 * * * * /bin/find /var/www/htdocs -mtime -7 -ls | mailx -s "Changed files in the last 7 days on example.com." you@example.com 2>&1
    Code (markup):
    Or another (and my favourite method) put your whole website in subversion and then put this in your crontab:

    5 * * * * /usr/bin/svn status /var/www/htdocs | mailx -s "Changed files since the last commit on example.com." you@example.com 2>&1
    Code (markup):
    The subversion method has the advantage of working even if the attacker changes the modified time of the file he changed. It also keeps a revision history of every change to the file that was ever made, which means even if the attacker figures out that you are using subversion to track changes and he commits his changes to the repository, you can always go back to your version with "svn up -r 253" where revision 253 is the revision before the one he committed.
     
    Ladadadada, Apr 8, 2008 IP
  5. uski

    uski Peon

    Messages:
    94
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #5
    The subversion trick is awesome ! Thanks for sharing.

    On Linux, there is a tool named tripwire which does the same thing but on system files.
    If a system file gets modified, you get an e-mail. It is useful to detect if someone tries to rootkit your box (but if the hacker knows what he's doing he won't get caught - but as most of them are script kiddies, it works quite well).

    A recommendation for all of you who have dedicated servers: export the logs in real time to another box, preferably a dedicated log box that does nothing else. This is extremely important: if someone gets root access to your box, he can delete the logs locally, but he won't be able to delete the remote logs.
     
    uski, Apr 16, 2008 IP