Software to monitor file changes?

[Bianca007]

Hello,
I moved my site to a hybrid VPS about 2 weeks ago and since then, I have had my site exploited twice. Google blocked my site a couple of days ago because it was distributed malware. I cleaned up the files that were changed, changed all passwords, and upgraded my open source forum, only to have it happen again two days later.

I'm not entirely sure how they are doing this and until I can figure it out, I was wondering if there was any software out there that can monitor files on my server for changes??

If you know of anything that can help with monitoring the server or finding the problem, your advice would be greatly appreciated.

Thanks

[Ron]

Oh, that's terrible!

I don't know of a product that is task specific, but if you use WinSCP's file sync functionality to mirror your site to your PC, whenever you tell it to sync you will be given the opportunity to see what files have changed. Be sure to tell WinSCP to show you changes before performing the sync.

[Bianca007]

Well... from the time I made my first post to now, it has happened again. They have changed my homepage several times now and I still have no idea how they are doing it

Hi Ron,
thanks for your tip. I'm actually using WinSCP (just switched from smartFTP) I'm going to look into the file sync... I just started using it so I don't know much about the program yet.

I did notice when using WinSCP that the "changed" date never matches the date that I actually changed the file. For example, after I changed my file this morning, the change date was March 13 which is very off. After changing it minutes ago, it says the change date is March 28 instead of April 1. Isn't that odd? Will the sync feature be any good if the dates are not right?

[Frank Broughton]

Yes, there is a nice tool for this I use on my VPS: http://www.configserver.com/cp/csf.html

# Suspicious file reporting - reports potential exploit files in /tmp and similar directories
# Directory and file watching - reports if a watched directory or a file changes

IT does much much more. Security audits for one.

Best thing is - it is supported and free! In the spirit of the ad free internet - which it still should be - right Ron - haha

[Ron]

free heh heh heh

Did you ever ask for a spiritual opinion on it or bounce it around the campfire? I'd be interested in the perspective.

[Frank Broughton]

What are you asking me Ron?

Bianca007 where you be - the above software is what you are looking for.

[Bianca007]

Thank you for that link Frank! That is right along the lines of what I was looking for.

I'm going to go download it and see what its about

[jason]

Bianca,

If you are being hacked that quickly and that often, I suspect that something is up with your account. The things that first come to mind:

* You have a weak root (or other account) password that is continually being breached.
* You are running a piece of software (blog, CMS, forum, etc.) that contains a vulnerability that is being exploited.
* There is a root kit or some other kind of malware running on your system that you haven't cleaned off, so it keeps doing its thing.

I would strongly recommend reading the Securing and Optimizing Your Server thread if you haven't already. There is a lot of good info in there.

Some of the first things I would do are:
* Set your root password to a very strong, completely random value. Keep this stored away somewhere safe. While you're at it, you may want to do the same for your other passwords, but root is most important. I use KeePass Password Safe to do this, but there are many different tools available.
* Check the web software that you run to ensure you're running latest versions of everything. Be sure to check not only the base installs, but also check for updates to any plugins or add-ins you may have installed.
* Run the latest version of the rootkit checker referenced in Jag's first post in the thread above to find any hidden nastiness. Be sure to investigate whatever it finds before you delete anything, as it could return some false positives (we'll be happy to help, of course).
* Block direct root logins from SSH (see the thread). That way someone will have to figure out both a non-root password and your root password in order to get root.

I've never used Frank's recommended CFS software, so I didn't include in in my suggestions, but it looks like it could be very helpful and I'll be checking it out for my own use (thanks, Frank!).

The thread I referenced has a lot of other helpful tools as well and I could probably make more suggestions if I thought about them for a while longer. What I've included should help you get things locked down, but by no means is meant to be an exhaustive list of what you can or should do. Welcome to the wonderful world of being as sys admin.

--Jason

[Frank Broughton]

You are welcome Bianca - good luck.

Jason, it is an excellent tool. Blocks an IP address when someone tries to brute force your site - you set the amount of attempts. It is easy to use - it auto updates. The author is an expert with helping people and made a very user friendly firewall plus way more tool! The security audit is a valuable tool. I like it way better than the "other" sometimes supported nonuser friendly firewall.

Yes Jason, the wonderful world of being a sys admin. I cannot imagine the aggravation JPS puts up with trying to keep JPC up and running for all of us. WE have one (or 2 or 3) system - they thousands.

[jason]

Frank,

I'm sure its a great tool. I've spent some time looking at the site and like what I see, but unfortunately I don't have the time to set up a system to test it on at the moment. I've been writing an app for work that is consuming all of my time right now--hopefully throwing a good part of this snowy, windy, Western NY day at it will get it finished up so that testing can start on Monday. Then I'll have some time to play again.

--Jason

[Frank Broughton]

Indeed windy here. My flagpole gave way yesterday and is bent at a right angle right now haha. Time for a new one.

Setup is easy and quick. Tweaking can be done afterward. There are multiple "levels" of security settings you can pick.

Good luck with your project.