Monitor Your Website for Hacks – PHP Code Gives a Hash
I’ve had some friends get their website hacked with a nefarious little code snippet that attempts to exploit the browser of visitors. The site looks no different, but that’s the point. Its difficult to tell that you’ve been hacked.Now, the fix I’ll suggest won’t work very well for dynamic websites. It reads all of the website files and generates a hash. That hash can be monitored by a desktop program. I personally monitor my sites every 30 minutes. Knock on wood that I won’t need to be informed. However, I’ve set it up to email me in the case of hack where the hash doesn’t match.
- Get the PHP hash generating code from WebsiteCDS (hosted by google code)
- Setup info is in the readme – however I suggest you change the email address and password before uploading it to the root of your website.
- Type in the websitecds.php location in your address bar with the password as required in the readme (READ the README)
- I liked the SiteUp website checker for windows, and use it to check for the hash. In fact, I have it setup to run the websitecds.php script with the expected hash. (Other die hards use cron and a script)
- Remember to update your hash everytime you change or add things to your website. Otherwise you will be getting error messages and/or emails.
- Rest easy that you’ll know if you’re hacked.
Good luck. And I hope your ISP is quick on the patches.
–Ben
References:
Webdigi – Web Development Company in London
Google Code – Website CDS (Change Detection System)
Xequte.com – SiteUp -Check if your website is up, even if you aren’t
Hi, after uploading the websitecds.php script and changing the password & email address, firstly run the script without the myhash parameter like so:
http://www.YOURDOMAIN.com/websitecds.php?password=ChangeThisPasswordForSecurity
This will generate a hash, now copy that hash like so:
http://www.YOURDOMAIN.com/websitecds.php?password=ChangeThisPasswordForSecurity&myhash=7248e8a4abc6a14966badc461f0290f0
And visit that link, you should see “All Good!”
“All Good!” is the word you want to use in siteup! If it isnt all good, then something is wrong, something has changed and siteup will report the website as down.
Hope this helps,
Chris.
Thanks Chris!
I apologize for posting on a two year old thread but how do you use SiteUp to run the PHP script? You said, “…. In fact, I have it setup to run the websitecds.php script with the expected hash.” SiteUp lets me enter the names of the websites to monitor and asks for a word to look for….but that’s it. I do not see how I could run my websitecds.php file. The PHP file works fine but I need to execute it automatically on a shared Windows server.
[…] WebsiteCDS or Git for Hack Monitoring – In trying to prevent infected sites from going unnoticed in the future both WebsiteCDS or Git seem like possibilities. The idea is that you generate a hash of your site and periodically scan your site structure. When the hashes no longer match, you’re informed that the site contents have changed. Not sure how this works with WordPress’s upload directory but a concept worth investigating. […]
Git appears to be a lot more flexible. It also looks like it has a longer learning curve, requires cron access and must run locally (or have an ftp download of the site – which is probably asking for trouble).
IE – if you didn’t get much out of that last paragraph, I’d use WebsiteCDS. If you did, and you have the capability, you might try git. Especially if you’re used to CVS or Subversion.
–Ben
Sounds similar to the article “Git informed when your site is hacked” (http://blog.jerodsanto.net/2009/05/git-informed-when-your-site-is-hacked/)
This article suggests using Git to create the hash and monitor it.
Thanks.
As to the FTP passwords. Yeah, I actually recommended that they think about changing their organization’s passwords. Frequently people will use that password for a number of things.
As to the link. Done. Thanks for the script!
I am impressed with the amount of php knowledge and security awareness you have. You still call yourself a lawyer? You must be a pretty good lawyer then. Please also make sure that the FTP passwords have been reset if the attack was done via FTP.
Thanks for the links, can I request you to point your link web development company in london to our main website?