Comments on: How to detect if your webserver is hacked and get alerted http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/ Little words of wisdom Sat, 04 Sep 2010 23:02:27 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: dd http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-16851 dd Wed, 09 Jun 2010 20:04:45 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-16851 Take a look at these links as well.. Sucuri does that for you remotely... Kinda like a tripwire for web sites, DNS, whois ,etc: sucuri.net For local servers, OSSEC is pretty good too (open source): ossec.net Take a look at these links as well.. Sucuri does that for you remotely… Kinda like a tripwire for web sites, DNS, whois ,etc: sucuri.net

For local servers, OSSEC is pretty good too (open source): ossec.net

]]> By: dungto http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-13802 dungto Thu, 25 Mar 2010 07:22:42 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-13802 My method. List all executable / script files in your root using script and calculate it's md5 save the result on text file or database. Periodically recheck md5 value and compare with last result. Pay some attention if you find difference. My method. List all executable / script files in your root using script and calculate it’s md5 save the result on text file or database. Periodically recheck md5 value and compare with last result. Pay some attention if you find difference.

]]> By: Jerry Gav http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-10692 Jerry Gav Tue, 05 Jan 2010 12:36:55 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-10692 Thanks for the detailed post! Thanks for the detailed post!

]]> By: Janice http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-9999 Janice Mon, 14 Dec 2009 13:24:57 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-9999 Thanks for sharing the code. This is a script via a cron job to alert you for file changes. Something like the oscommerce site monitor contribution I guess. If you your server was hacked in the past you should not only restore from backups and change passwords, but figure out how they got in and fix the code. (You have the host's server logs that should give you clues). As per the google code for the project the top request is to find out which file has changed. That will be a good enhancement. I hope someone will be able to do that for me :) Atleast this is a great solution to figure out if someone has tampered with any code on my site! Thanks for sharing the code. This is a script via a cron job to alert you for file changes. Something like the oscommerce site monitor contribution I guess.

If you your server was hacked in the past you should not only restore from backups and change passwords, but figure out how they got in and fix the code. (You have the host’s server logs that should give you clues). As per the google code for the project the top request is to find out which file has changed. That will be a good enhancement. I hope someone will be able to do that for me :)

Atleast this is a great solution to figure out if someone has tampered with any code on my site!

]]> By: just_browsing http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-7925 just_browsing Sat, 17 Oct 2009 22:18:16 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-7925 hmmm interesting little project, looking at some-point to implement something like this when I re-active my site. Shut it down due to getting compromised by a wordpress vulnerability that activated on my own PC when I went to view something on mysite - net result they got my FTP logins that resulted in over 50 different IP's login each attempting to make a single file amend. So shut it all down - managed to nip it in the bud early. Easy tell tale sign of file change is the Date ;) it not often when you have a site up and running that you amend the files so a compromised account will harbour a date newer than when you uploaded. Worthwhile using that sort of functionality to pick out altered files. hmmm interesting little project, looking at some-point to implement something like this when I re-active my site. Shut it down due to getting compromised by a wordpress vulnerability that activated on my own PC when I went to view something on mysite – net result they got my FTP logins that resulted in over 50 different IP’s login each attempting to make a single file amend.

So shut it all down – managed to nip it in the bud early.

Easy tell tale sign of file change is the Date ;) it not often when you have a site up and running that you amend the files so a compromised account will harbour a date newer than when you uploaded.

Worthwhile using that sort of functionality to pick out altered files.

]]> By: Ben http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-4814 Ben Mon, 13 Jul 2009 05:01:56 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-4814 Thanks for the help! I've suggested it to my friends and colleagues. I've also referenced your article in my post. I've assumed the link is the way you want it. Keep up the great work! Thanks again, Ben Thanks for the help! I’ve suggested it to my friends and colleagues. I’ve also referenced your article in my post. I’ve assumed the link is the way you want it. Keep up the great work!

Thanks again,

Ben

]]> By: antispin http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-4328 antispin Wed, 01 Jul 2009 14:03:38 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-4328 Many people (such as myself) may not have any immediate alternative -- and it's definitely better than nothing. Thanks for the script. Tripwire, AIDE, AFICK, Samhain are alternatives but require you to have complete control over your web server. Many people (such as myself) may not have any immediate alternative — and it’s definitely better than nothing. Thanks for the script.

Tripwire, AIDE, AFICK, Samhain are alternatives but require you to have complete control over your web server.

]]> By: Planet Android » Blog Archive » Simple Website Change Detection System http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-2040 Planet Android » Blog Archive » Simple Website Change Detection System Thu, 07 May 2009 04:53:28 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-2040 [...] Change Detection System Posted by Admin May - 7 - 2009 - Thursday I happened to read a post on how to detect if someone has changed files on your webserver to serve nebulous scripts and what [...] [...] Change Detection System Posted by Admin May – 7 – 2009 – Thursday I happened to read a post on how to detect if someone has changed files on your webserver to serve nebulous scripts and what [...]

]]> By: Simple Website Change Detection System | California Dreams http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-2039 Simple Website Change Detection System | California Dreams Thu, 07 May 2009 04:33:29 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-2039 [...] happened to read a post on how to detect if someone has changed files on your webserver to serve nebulous scripts and what [...] [...] happened to read a post on how to detect if someone has changed files on your webserver to serve nebulous scripts and what [...]

]]> By: Paul http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/comment-page-1/#comment-1983 Paul Tue, 05 May 2009 23:30:45 +0000 http://www.webdigi.co.uk/blog/?p=31#comment-1983 Also checkout TripWire. -Thanks! sourceforge.net/projects/tripwire/ Also checkout TripWire. -Thanks!

sourceforge.net/projects/tripwire/

]]>