Monitoring against Website Exploits

Installing ready-made web applications on your server is easy, and gets you up and running quickly. It also means you’re running the same code as thousands of other web servers, which presents a juicy target to malicious hackers; find one exploit and you have access to all those machines!

Several times now, my server’s been broken into by some automated exploit, through versions of Gallery and Dokuwiki that were a little out-of-date. (Mea culpa, but they were used infrequently) Each time the exploit script would modify my .htaccess or php files to direct users away to some dodgy gambling or attack-the-user website.

The first option would be to defend against an exploit being able to modify any of these files. Unfortunately the hosting provider runs PHP as me, so I couldn’t figure out how to prevent those files (also owned by me) being modified. These exploits seem to know how to use chmod.

A second option is to monitor for any changed files; I was only finding out about these attacks when Google added my site to their ‘naughty’ list.

It’s very simple:
find /home/mrtrick \( -name ".htaccess" -o -name "*.php" \) -a -mmin -10 -printf "%t %p\n" | mail -e -s "Mindbleach files modified" xxxxxx@xxxxx.com
Cron runs every 10 minutes. If any .htaccess or *.php file was modified since the last time it ran, send me an email with the files. The ‘-e’ option means I don’t receive blank messages.

Works well! I get an email listing legitimate changes every time I upgrade software, and if a file is modified at any other time I’ll see it immediately.

If the incrond daemon were installed on the server it’d be an even better option, as it can specifically watch for file activities.