Unusual files appear on your server? Wondering how to find PHP or ASP files added or modified without your knowledge? Here I show you a simple trick to discover this kind of intrusion.
Knowing that a website contains more than hundreds of files stored in dozens of folders, browsing all the files on the site and reading the hundreds of lines of code / file to detect any new code is downright impossible.
However, how do you manage to monitor in a structured way that such and such a file has not been modified on your server?
This is where I will present the tool to you: HELP (Advanced Intrusion Detection Environment).
This software makes it possible to monitor the integrity of a system by comparing all the files with a database of previously created files.
The principle of HELP is simple. This involves building a sort of signature database of all the files on your server. Help will create a database of signatures using cryptographic fingerprinting algorithms for files. Periodically, AIDE will recalculate the fingerprints of files which may change regularly in order to have a constantly updated database of signatures.
If the fingerprints are different (in terms of the file, its date, its access rights, ...), the software will detect a modification of files and notify the administrator by email or by log file depending on the configuration that you have set up.
How to install and use AIDE (Linux - Debian)?
1) To install HELP, type the following command:
2) We will then specify which files and elements to monitor by editing the aid.conf configuration file.
Example for the line: / sbin p + u + md5
With this line, AIDE will check the rights (p), the owner (u) and the Md5 sum of the files in the / sbin tree.
The MD5 allows you to calculate a hash on your files. If these files are changed even by a bit, the hash will become completely different.
To find your configuration file, you can use the find command as follows:
3) Then, you have to create the given database which will contain the fingerprints of the files. This step may take a good ten minutes.
Our database is now created. As the database can also be modified by the nasty hacker, I recommend that you put this database on a USB stick.
Practical case :
Finally to test our script, we run the following command to check the integrity of the files indicated in the configuration files:
If your configuration file is located somewhere else, you can specify it like this:
And there, as if by magic, it lists the files that have been modified! 🙂
So we can see that AIDE has detected the changes that have taken place. Of course, it is possible to automate these actions thanks to CRON and even to be notified by email. For emails, it is necessary to start the sendmail daemon and install it if it is not present on the machine:
# /etc/init.d/
# sendmail start