SuperScan v2.02 - Website Security
SuperScan v2.02 - Website Security
Quickly Detect and Report Hacked Files via CRON/PHP
SuperScan, previously HashScan, is a set of PHP scripts to provide a warning of changed (edited, added or deleted) files to detect a hacker's nefarious work on your website(s). HashScan simply created a hash of every file within a directory and compared it to the pervious hash values for those files; not very sophisticated.
SuperScan was the result of comments received and code offered by Han Wechgelaer of the Netherlands to extend the usability to include more file comparisons (e.g., last modified date and time) and better summary reporting. Unfortunately, my interpretation of PHP's RecursiveDirectoryIterator and RecursiveIterator Iterator failed to account for my attempt to filter directories (eliminate them from a scan).
SuperScan v2 is a major update for which I consider Jan Bakke of Norway responsible. Jan found and tested my "obvious" iterator error as well as suggested and coded the additional headers for e-mail and performed many tests to validate and optimize the code. His suggestions, testing, coding and comments were invaluable. MANY THANKS to Jan for his efforts which made v2, and its many improvements possible.
SuperScan v2 corrects the errors of SuperScan by inserting lemats' MyRecursiveFilterIterator to handle directory protection and provided a lot of clean-up of the code as well as the output (HTML for testing and text for e-mail; production use).
SuperScan v2.02 corrects an error in the configure script's foreach loops to ensure lowercase file extensions – the $ext variable passed by reference in the loops unintentionally allowed the scanner script to modify the last variable of the array (another great pick-up by Jan Bakke!).
SuperScan v2.01 is a minor update which:
SuperScan v2 UPDATES:
The comments received about directories not being excluded set off a massive set of improvements:
There are many configurable items (all of which are in the configure.php script). You should not have to modify the scanner.php script (unless there is a PHP max_executible_time ERROR) OR reporter.php script.
SuperScan/HashScan Coding Logic
The logic is simple: "Build a database of hashed values for vulnerable files (those which hackers modify to execute code on your server) and compare those values to the actual hashes on a regular basis and report added, changed and deleted files."
Obviously, the code to traverse a server's directory structure and provide hash values is far more complex than the statement above. I have commented the code so I'll avoid the long-winded explanation of the code here.
For security, use a separate database for this which does not share access credentials with any other database. Create the new database and the new user with a strong password (I recommend a 16 character password generated by strongpasswordgenerator.com). Then create two tables, baseline and tested to hold the filename and hash values and the datetime of the last scan. The file CreateTables.sql (updated for SuperScan v2) has the SQL code to create these tables for you.
PATH is the physical path to the start of your scan which is usually the DocumentRoot. Just remember not to use Windows' backslashes because both Apache and PHP will be looking for forward slashes
Note that you can select the file extensions to scan and directories to exclude.
PHP's RecursiveIteratorIterator() function is used to iterate through the PATH directory ($dir).
The script identifies the changed files, i.e., those added, changed or deleted which are used to create arrays to facilitate reporting via echo statements or e-mail.
On the first pass, there will be nothing in the database's baseline table and ALL files will display as Added so don't be alarmed.
Once you've tested SuperScan (or HashScan), don't even consider placing this code in your webspace (under the DocumentRoot) as that will mean that anyone can access your file and delete the saved information to invalidate your hash scans. For simplicity, put it in the same directory of your account which holds public_html (or similar) directory.
Now that you have the code, you need to have it activated on a regular basis. That's where the CRON function of the server excels! Simply create a new CRON job, set the time in the middle of the night when your server should be nearly idle (you don't want to interfere with or delay visitors' activities which also means you should limit yourself to a single scan per day). The CRON.txt files has the CRON code for you to use.
You have created a new database with two tables, one to hold the dates and one to hold the baseline hashes. You have initiated every scan by identifying the file types (by extension) that you need to track and identified the start point (DocumentRoot) for your scan. You've scanned the files avoiding the unwanted directories and compared the hashes against the baseline in the database. Closing the process, you've updated the database tables and either displayed (on a test server) or e-mailed (from the production server) the results. Your CRON job will then activate your hash scan on a regular basis.
This is but one part of securing your website, though, as it will only inform you of changes to the types of files you've specified. Before you get this far, you must ensure that your files are malware free, ensure that no one but you can upload via FTP (by using VERY strong passwords) and keeping "canned apps" up to date (because their patches are closing vulnerabilities found and exploited by hackers and their legions of "script kiddies").
In summary, BE PARANOID! There may be no one out to get you but there arethose "out for kicks" who are looking for easy prey. Your objective is to avoid that classification.
"There's no rest for the wary ... but they don't (often) have to rebuild a server!