Unusual files appear on your server? Wondering how to find PHP or ASP files added or modified without your knowledge? Here I show you a simple trick to detect this kind of intrusion.
Knowing that a website contains more than hundreds of files stored in dozens of folders, going through all the files on the site and reading the hundreds of lines of code/file to detect possible new code is downright impossible.
However, how do you manage to monitor in a structured way that such and such a file has not been modified on your server?
This is where I will present the tool to you: HELP (Advanced Intrusion Detection Environment).
This software allows you to monitor the integrity of a system by comparing all files with a previously created file database.
The principle of HELP is simple. This involves building a sort of signature database of all the files on your server. Help will create a database of signatures using cryptographic file fingerprinting algorithms. Periodically, AIDE will recalculate the fingerprints of files which may regularly change in order to have a constantly up-to-date signature database.
If the fingerprints are different (at the file level, its date, its access rights, etc.), the software will detect a file modification and notify the administrator by email or log file depending on the configuration you have set up.
How to install and use AIDE (Linux – Debian)?
1) To install HELP, type the following command:
2) We will then specify which files and elements to monitor by editing the aid.conf configuration file.
Example for the line: / sbin p + u + md5
With this line, AIDE will check the rights (p), the owner (u) and the Md5 sum of the files in the / sbin tree.
The MD5 allows you to calculate a hash on your files. If these files are changed even by a bit, the hash will become completely different.
To find your configuration file, you can use the find command as follows:
3) Then, you have to create the given database which will contain the fingerprints of the files. This step may take a good ten minutes.
Our database is now created. As the database can also be modified by the nasty hacker, I recommend that you put this database on a USB stick.
Practical case :
Finally to test our script, we run the following command to check the integrity of the files indicated in the configuration files:
If your configuration file is located somewhere else, you can specify it like this:
And there, as if by magic, it lists the files that have been modified! 🙂
We can therefore see that AIDE has detected the changes that have taken place. Of course, it is possible to automate these actions thanks to CRON and even to be notified by email. For emails, it is necessary to start the sendmail daemon and install it if it is not present on the machine:
# /etc/init.d/
# sendmail start