Hack radar – Quick Tricks for Detecting Website Hacks

As is the case for developers the world over, my work requires me to wear all sorts of technical hats from day-to-day. Fairly frequently for me this includes a big-ass ‘server maintenance and security’ sombrero. Many who manage hosting for a sizable client-base on SLAs may find that they need a quick way to periodically test the health of their websites, checking for security alarm bells. To this end, I have developed a ‘hack radar’, a small set of tools and checks I can deploy to quickly determine whether a site has been hacked or tampered with and needs the attention of my sombrero-ensconced brain. Following a visual check of the website my ‘hack radar’ tools include: 1. Git Status. Assuming your site is in source control (which ideally it should be), a quick git status is the easiest way to see if anything has been modified. It will even list out any changes for you so you can decide if you should be worried about them or not. Git Status is defiantly top of my hack radar list of tools. Git Status - Hack Radar - 56Kilobit Web Development 2. Scrutiny. Scrutiny is a tool designed primarily for SEO and site mapping. I have found another use for it. Given that Scrutiny quickly finds and checks all internal links and pages on a remote URL, it’s great for quickly tracking down any suspicious 500 errors or new 404s you were not expecting. New 500s or 404s could be indicators of ‘hacked’ code so you should look out for them. It also doubles up as a ferret for more general problems during development, a regression testing tool and of course, an SEO site mapping tool. Scrutiny for mac - security detection 500 errors - Web Development 3. New Relic New Relic has some nice tools for quickly getting an overview of how your servers and applications are running. As with Scrutiny, giving the New Relic error log tools a once-over will quickly raise alarms if there is some suspicious errors being raised on one of your websites. Spikes in file response times can also help pin-point entry points for attacks such as DOS. This has helped me track down attacks aimed at exploiting the WordPress XMLRPC PHP file in the past. NewRelic - Website Security - Web Dev - 56Kilobt 4. Base64 Detection. ‘Hackers’ often like to think they have outwitted us discerning developers by Base64 encoding their malicious code injections and eval-ing at runtime (as if their code won’t get deleted if it’s hard to read). This is especially true of hacks targeting popular open source CMS platform Joomla (and similar others). Luckily this gives my hack radar another easy detection mechanism which can cover an entire server at once. Check out these helpful commands from Zach Young which can be used to quickly round up Base64 strings into a list for you to review. https://gist.github.com/zyoung/731099 find . -name "*.php" -exec grep "base64" '{}' \; -print &> b64-detections.txt find . -name "*.php" -exec grep "eval" '{}' \; -print &> eval-detections.txt How do you check for and defend against hacks? Let me know in the comments or get in touch on twitter.