How to detect if your webserver is hacked and get alerted
We all do our best to write excellent code and also keep our installations of popular open source tools like WordPress, Joomla, Oscommerce, Drupal, phpmyadmin and all its plugins always updated to prevent any attack or hackers using known exploits on them. This article is not aimed at going through all those methods to help you secure your website BUT focuses on how to send you an alert once your website is hacked and running “hidden” code that you didnt write.
So in short the bad guys have taken over your server and running anything from a backdoor script or launching phishing attacks or sending tons of spam emails. You will not know that your server is hacked until you get blacklisted on spamhaus or your customers get redirected to some random site or worser still when you are contacted by ebay/paypal/some bank saying that your website is phisihing their customers. The problem is that we dont even have an idea that our site is hacked until it is too late or too embrassing.
Simple Solution – Website Change Detection System
We need a script on the server that detects any changes or to any executable file on the server or any new file on the server from HTML, JS, to PHP, ASP, Perl, Python files etc. If we generate a hash value of all our files and then compare them periodically, then we will be able to detect when our codebase has changed on the server.
These are the steps that our change detection system performs (It takes about 500ms to execute on a typical server):
- Load configuration file (contains password, exclude list)
- Check password from request before starting (recommended)
- Recursively run through every file and sub folder on the server within the current directory of the script.
- Generate a hash for each file and arrive at the master hash.
- Compare master hash with hash the user has and alert if different!
- This script at this simple level is almost 100% fool proof in detecting changes to the codebaes give that the hacker or bots don’t know of websiteCDS presence.
- At this stage the script cannot detect SQL injection attacks and changes to code that are saved to the database.
- The users hash is not stored on the server at any time, the comparison with master hash can be done at cron script level or using siteup as discussed below.
We have the following code written in PHP but you can do the same with any other scripting language to perform similar checks. We have started the project under google code and is available here: PHP code for WebsiteCDS
See the readme file in the download for help with setup.
Different ways to automate the alert system
Method 1: Using our trusted cron job
A cron job can be setup to run the website CDS, compare the results with the last known valid hash and send out an email alert.
Method 2: With Siteup
Siteup is a free tool for windows systems that can be set to periodically check if your website is reachable. This is recommended for those of us who don’t want to setup a cron job. It can be downloaded here http://www.xequte.com/other/index.html#siteup We can use this to frequently call our change detection system and then use the siteup word search to check if the hash value is the same as what we have from our last codebase update. ( See screenshot )
NOTE: The project & code included is the first version of the change detection system and kindly submit your ideas and comments here or an issue or feature request in google code project for websitecds.