Website scanners (was d@mn scammers/hackers)

From: David White 
------------------------------------------------------
To fork the thread, anyone know of any services you can use, and/or or
scripts you can run to check the public facing code of sites and
ensure there's nothing malicious?

On the internal side of things, I wonder if it would just make sense
to periodically run an MD5 checksum via cron on each web directory in
the server(s) and compare that with the good hash (stored externally,
off the server, of course).

Sent from my iPhone

On Oct 17, 2012, at 10:08 PM, Mike Harrison  wrote:

>
> The little Linode slice that hosts chugalug.org
> and a handful of other sites had a Joomla install brute forced.
> Actually nailed on October 10th, but they did not
> install and abuse things until yesterday.
>
> The apache logs show many many thousands of login/password attempts
> on the two joomla sites on this system... from only two IP's. in rapid succession. and they finally got one. Then they uploaded a new theme, with some extra functionality in the files.
>
> Note: Both IP's were from static ip leasing services. That's a new twist to me... usually they are from another hacked server.
>
> And then they went "Bank of America Customer Fishing"
> This server was only a relay, it's some interesting code.
>
> As many of you are also hosting/using Joomla and other content management systems, you might want to look at your logs. Moving your login/admin
> urls is the first step, there are many more worth taking.
>
> I'm out of the internet / web hosting / security business and yet, since the beginning of September, I've been involved in 6 comprimises, 2 of which, like this one, I was partially responsible for some part of the system.
> The others I was just called in to help clean up afterwards.
>
> My relevant almost on topic point is: It seems to me the intensity, focus and volume of hacks, comprimises and abuses have seeming increased significantly.
>
> Be careful out there. I'm putting my uber-paranoid hat on after
> about 10 years of not wearing it (all the time), you should also.
>
> The not so nice people are out to get us all. All of us.
>
>
> 

=============================================================== From: Stephen Haywood ------------------------------------------------------ Running a md5 or sha1 sum every day would help. Tripwire did that. There may be some other tools as well. Make a backup while you're at it and push it to a safe place. As for scanning a site for compromises, I don't know of anyone doing that. Stephen Haywood Information Security Consultant W: www.averagesecurityguy.info T: @averagesecguy

=============================================================== From: Alan ------------------------------------------------------ Speaking on the internal side of things, I wrote a script a while back to diff the deployed site's files against the latest release in git. If there was a difference, I sent myself an email. This all came about when I had helped someone setup a ZenCart site that was brute forced and used for phishing some London bank. Later, I discovered that ZenCart was and always had been riddled with these easy exploits, so I got out of that business. In retrospect, I think the 2 biggest risk factors were: shared hosting through a popular host (know IP blocks), and using older CMS versions. YMMV. -Alan

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tripwire? ossec? Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/e08ACgkQABP1RO+tr2RR5gCgiGxILJVoii477BRYGBQhoX0K n2oAn3vbisLm30UUMMgZLG/TuvXkFxdc =mhZx -----END PGP SIGNATURE-----

=============================================================== From: Sean Brewer ------------------------------------------------------ I use securi for the public facing side: http://sitecheck.sucuri.net/scanner/

=============================================================== From: Lynn Dixon ------------------------------------------------------ Somehow I didn't get the original thread but I got this fork. I have noticed an huge increase in brute force attempts on my co-located server. They have been hitting SSH and Exim. I am running CSF / LFD on recommendation from Randy and love it, but the attackers appear to be hitting from a huge range of IP's and only a few hits at a time, and then they move to a different IP and attack again. I have not been hacked, but I don't like all this "negative" brute force traffic.

=============================================================== From: David White ------------------------------------------------------ I use CSF (CLI version, as I refuse to touch cPanel) and also love it. Some may call this a bit paranoid, but I even ban IP addresses (temporarily) on a certain port scan threshold. It also alerts me when system file hashes have changed. It doesn't do anything for the actual websites though. Sent from my iPhone Somehow I didn't get the original thread but I got this fork. I have noticed an huge increase in brute force attempts on my co-located server. They have been hitting SSH and Exim. I am running CSF / LFD on recommendation from Randy and love it, but the attackers appear to be hitting from a huge range of IP's and only a few hits at a time, and then they move to a different IP and attack again. I have not been hacked, but I don't like all this "negative" brute force traffic.

=============================================================== From: David White ------------------------------------------------------ I follow those guys on Twitter. They seem like a good group of people.

=============================================================== From: David White ------------------------------------------------------ Someone else responded to me directly (not sure if it was intentional or not to leave the group out), but I responded to that email through my iPhone thinking I was emailing the group with this (may not add much value to the conversation, but FWIW. The email to me basically said that the guy wrote some bash scripts to run a checksum on system files every 15 minutes, and sent out alerts if things changed. My 1 bit of "useful" information in this response basically just says CSF does the same thing, although I think writing bash scripts to augment CSF isn't a bad idea: *Thanks, {name removed}, and all the others who responded. This must be a hot topic. Though i graduated a few years ago without any CS classes, I'm actually taking an IT security class at my alma mater, Covenant, and am absolutely loving it. Used Wireshark for a lab a couple weeks ago, and then just two days ago, found I needed it + tcpdump at my job, and was able to resolve my issue quickly after that! May be going for my CISSP at some point in the near-ish future... Anyway, as I mentioned in my last reply, CSF basically does the same thing for me in terms of system files, but writing my own scripts to augment CSF wouldn't be a bad idea.*

=============================================================== From: Rod-Lists ------------------------------------------------------ Just found this http://mollom.com/how-mollom-works. It more of a screening of your incoming posts. Might be useful. ----- Original Message -----