Irongeek's Shared hosting MD5 Change Detection Script
Adrian Crenshaw aka Irongeek just release another great tool for web admins that will monitor the files on a website, and report any changed via email. Actually "irongeek.com" was hacked few days back which is hosted on a shared hosting. There is an awesome article posted by him on his blog "How I Got Pwned: Lessons in Ghetto Incident Response". I think after that Adrian decide to make a handy tool/script to help web admins so that they can easily monitoring there files on a shared server.
This simple shell Script user can run on a shared server. Let suppose once hackers get into your website either by exploiting known vulnerabilities in any of the installed programs OR by getting FTP access to your server, the first thing they usually do is to plant backdoor scripts to log them in again at a later date. They need some executable script on the server to gain access to MySQL passwords, installation passwords or even edit settings in your wordpress or other installations. We have also seen situations where the site was left largely unchanged except for malicious javascript code added to the bottom of the index.php or index.html files.
The problem is that we dont even have an idea that our site is hacked until it is too late or too embrassing. Irongeek write a script , that will run on the server and will detects any changes or to any executable file on the server or any new file on the server from HTML, JS, to PHP, ASP, Perl, Python files etc. It will generate a hash value of all our files and then compare them periodically, then we will be able to detect when our codebase has changed on the server.
A cron job can be setup to run the web server, compare the results with the last known valid hash and send out an email alert. Another similar tool was released by Dave Kennedy named "Artillery" for confusing hackers and protection tool for Linux.