Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
March 17, 2010, 03:08:33 PM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Site File Audit script - anyone interested and is there an alternative?  (Read 504 times)
pharscape
Newbie
*
Offline Offline

Posts: 3
« on: July 04, 2009, 11:32:07 AM »
Hi All,

My site was hacked a few weeks back and got blacklisted by Google  Crying or Very sad .  The attack added a php file, added code to a javascript file and modified permissions on directories and files. I managed to track the changes down and clean the infected files and closed what security holes I could find. This was a slow manual process.

Google now says I'm clean which is a good start.

I am not completely confident that all holes are plugged so I have been looking for a script to run as a cron job - that would check for changes in the filesystem and email me whenever something happens. I did not find a cgi script to do this so I have now written two scripts that seem to work for me.

One script creates a list of files and a "fingerprint" for each file. The script searches all sub-directories for matching files.
The second script is run as the cron job to compare this list against the current file system. If it finds a problem it creates an email listing the changes.
The audit checks for added/deleted files, file content changes, file permission changes.

The audit does not check for new directories or changes in directory permissions. I have reasoned that directories themselves are not a risk but the files they contain can be. So if files matching the patterns are detected in new directories then this will be reported.

The configuration allows for directories and files to be specifically excluded.

To explain a little further here is the output of a manually run audit which did not find a problem and did not create an email:
Quote
*** File Audit Results *** ['*.php', '*.html', '*.py', '*.cgi', '.ini', '*.js', '*.inc', '.htaccess', 'favicon.ico', '*.pl', '*.htc', '*.css']
No anomaly found.

As a test after creating my reference list I tweaked a file permission. This is the contents a mail reporting the change:
Quote
File contents or permissions change.
1
 /home/********/public_html/index.php (1321918820, '100604')
The big number is the checksum fingerprint, the last number is the octal permissions of the file.

This email detects that a file has been added as well as the permission change:
Quote
Files have been added.
2
 /home/pharsc2/public_html/index.php (1321918820, '100604')
 /home/pharsc2/public_html/fta3.html (189427463, '100644')

If you are interested in trying these scripts let me know and I'll write an install how-to.

But does anyone know of a similar solution that has some pedigree?

Cheers,
Paul
Logged
Troy L
Support
Galactic Royalty
*****
Offline Offline

Posts: 405


Darkwolf
« Reply #1 on: July 04, 2009, 04:44:44 PM »
Can you provide more information on this script?

This sounds like a very useful script, and if its fairly accurate, may be one I would recommend to others, if we had more information on it.

A how to would be nice too Smile
Logged
TremenDesk - A Better Hosted Help Desk Solution!
Lunarpages Web Hosting

Lunarpages Forums

Lunarpages Affiliate Program

www.darkwolfgaming.com (my site)

www.deadlyforest.com (my newest site)

www.deadlynations.com (another one of my sites)

www.darkwolfpicturehosting.com (my site, good picture hosting)
pharscape
Newbie
*
Offline Offline

Posts: 3
« Reply #2 on: July 05, 2009, 03:41:07 PM »
I have posted the files here:
http://www.pharscape.org/forum/index.php?topic=759.0

The scripts do not modify anything on your system except to create one reference file. The documentation refers to file paths on a Linux system so there may be some differences for a Windows system.

Cheers,
Paul
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: