Quickly Detect Hacked Files via CRON/PHP: SuperScan
As a Certified Ethical Hacker, I'm fully aware that prevention is the best tactic to prevent hackers but, should one break through, the sooner you know it, the quicker you can act to limit the damage.
A while back, I presented a script called hashscan, designed to track site changes. Executed via a daily CRON, the script reads the files for a specified directory (e.g., an account’s public_html
directory on a server), generates hashes (for files with specific file extensions), and compares them with the previous scan’s hashes stored in a database. It's a great way for site owners to be alerted to files that have been added, altered or deleted by a hacker.
In this article, I'll present an updated version of the script, called SuperScan.
Benefits of SuperScan
The primary benefit is that SuperScan will report any changes to files in an account whether the file change is an addition, alteration or deletion. SuperScan was designed not to overwhelm the webmaster. It only provides a report of changes since the last scan (the default is one hour, but can be configured via CRON) and a summary report (daily by default, although, again, it can be configured via CRON).
Because the scan of a 1500 file account takes ~0.75 seconds, SuperScan can be run frequently without affecting server performance.
To support forensic investigation, the file last modified date and time are held in the database, along with the hash value of the most recent scan (and prior scan for altered files).
The scanner file need not be changed, as all variables are set within a required configure script. It's in the configure script where you can select specific (or ALL) file extensions to be scanned or, if ALL, the file extensions to omit. Additionally, you may specify directories which the scanner will not scan.
While the SuperScan files can be tested within a webspace, I recommend that it be moved outside the webspace for production use via CRON to protect against casual hackers.
Finally, a curious additional benefit is that changes in (extensionless) error_log files are captured and can direct the webmaster’s attention to coding problems that have slipped through the testing procedures.
SuperScan Logic
The logic flow of SuperScan is:
- Read the baseline information about the files in the database
- Scan the system’s files and compute their hashes
- Compare the baseline files against the current files to determine the changed files to generate:
- A list of added files
- A list of altered files and
- A list of deleted files
- Handle each of the changed files lists (update the database)
- Prepare and send a report (if required).
Database, Variables and the Working Arrays
Rather than bore you with the details here, I've inserted comments in all the scripts.
Thus, in short, there are three database tables:
- baseline: this contains the
$file_path
, the file’s hash and the file last modified date and time. I also added the account so multiple accounts could use a single database) - history: this records every detected change—or lack thereof—in each scan.
- scanned: this records scan summary date and time, as well as the number of changes and associated account.
Warning #1:
I can’t stress enough that the $testing
variable set by configure.php
will trigger an immense amount of output, so it must only be used for testing and never during a CRON job!
Warning #2:
Because the path/to/file is used as a key, it must be unique. That means that multiple accounts can never scan the same files.
Warning #3:
In addition, Windows servers will use backslashes, which are immediately changed to slashes, because they cause characters to go missing in the database. Also, use of an apostrophe in a file name will cause problems with database queries.
The working arrays are designed to make use of PHP’s functions, which access the key ($file_path
; this is also the file structure iterator, so never alter $iter‐>key()
).
$baseline
is read before starting the scan, $current
is the result of the scan, and the $added
, $altered
and $deleted
arrays accumulate the changes from the $baseline
and are used to update the $baseline
for the next scan.
Files
The superscan.zip
file contains 7 files:
CreateTables.sql
, which can be used to setup your tablesReadMe.txt
, which provides an overview of the SuperScan scriptscanner.php
, the scanning script that requiresconfigure.php
andscandb.php
(which connects to your MySQL server and returns the$scandb
handle)reporter.php
, which will provide a summary of recent scans via CRONCRON.txt
, which provides sample CRON instructions for bothscanner.php
andreporter.php
Cleanup
The $report
is created as the file changes are detected, and is stored and emailed if not a “negative report.” The summary report is used for the “warm, fuzzy feeling” when you’re not receiving change reports.
During the cleanup, history and scanned tables have records older than 30 days are auto‐purged to prevent unlimited growth of the database, the large arrays are destroyed (reset to empty) and the database is closed.
Summary
I believe that SuperScan is a massive improvement over my prior effort, and is a worthy upgrade. It provides frequent notice of changed files, while “negative reports” won't overwhelm the webmaster with unnecessary “Unchanged” notices.
Download the SuperScan code from GitHub
Acknowledgement
SuperScan was suggested by Han Wechgelaer (NL), who emailed the suggestion that my earlier hashscan script be extended to capture a history of the changes to an account’s files, as well as making more frequent assessments and adding a daily summary.
Han was kind enough to provide a copy of his start on this project and, between us, this evolved into SuperScan. Without Han’s gentle prodding and assistance, SuperScan would never have gotten off the ground and would certainly not be the exceptional tool it is today.
I'd love to know how you find this script, or if you have any questions about it or feedback.