As a Certified Ethical Hacker, I’m fully aware that prevention is the best tactic to prevent hackers but, should one break through, the sooner you know it, the quicker you can act to limit the damage.
A while back, I presented a script called hashscan, designed to track site changes. Executed via a daily CRON, the script reads the files for a specified directory (e.g., an account’s public_html
directory on a server), generates hashes (for files with specific file extensions), and compares them with the previous scan’s hashes stored in a database. It’s a great way for site owners to be alerted to files that have been added, altered or deleted by a hacker.
In this article, I’ll present an updated version of the script, called SuperScan.
Benefits of SuperScan
The primary benefit is that SuperScan will report any changes to files in an account whether the file change is an addition, alteration or deletion. SuperScan was designed not to overwhelm the webmaster. It only provides a report of changes since the last scan (the default is one hour, but can be configured via CRON) and a summary report (daily by default, although, again, it can be configured via CRON).
Because the scan of a 1500 file account takes ~0.75 seconds, SuperScan can be run frequently without affecting server performance.
To support forensic investigation, the file last modified date and time are held in the database, along with the hash value of the most recent scan (and prior scan for altered files).
The scanner file need not be changed, as all variables are set within a required configure script. It’s in the configure script where you can select specific (or ALL) file extensions to be scanned or, if ALL, the file extensions to omit. Additionally, you may specify directories which the scanner will not scan.
While the SuperScan files can be tested within a webspace, I recommend that it be moved outside the webspace for production use via CRON to protect against casual hackers.
Finally, a curious additional benefit is that changes in (extensionless) error_log files are captured and can direct the webmaster’s attention to coding problems that have slipped through the testing procedures.
SuperScan Logic
The logic flow of SuperScan is:
- Read the baseline information about the files in the database
- Scan the system’s files and compute their hashes
- Compare the baseline files against the current files to determine the changed files to generate:
- A list of added files
- A list of altered files and
- A list of deleted files
- Handle each of the changed files lists (update the database)
- Prepare and send a report (if required).
Database, Variables and the Working Arrays
Rather than bore you with the details here, I’ve inserted comments in all the scripts.
Thus, in short, there are three database tables:
- baseline: this contains the
$file_path
, the file’s hash and the file last modified date and time. I also added the account so multiple accounts could use a single database) - history: this records every detected change—or lack thereof—in each scan.
- scanned: this records scan summary date and time, as well as the number of changes and associated account.
Warning #1:
I can’t stress enough that the $testing
variable set by configure.php
will trigger an immense amount of output, so it must only be used for testing and never during a CRON job!
Warning #2: Because the path/to/file is used as a key, it must be unique. That means that multiple accounts can never scan the same files.
Warning #3: In addition, Windows servers will use backslashes, which are immediately changed to slashes, because they cause characters to go missing in the database. Also, use of an apostrophe in a file name will cause problems with database queries.
The working arrays are designed to make use of PHP’s functions, which access the key ($file_path
; this is also the file structure iterator, so never alter $iter‐>key()
).
$baseline
is read before starting the scan, $current
is the result of the scan, and the $added
, $altered
and $deleted
arrays accumulate the changes from the $baseline
and are used to update the $baseline
for the next scan.
Files
The superscan.zip
file contains 7 files:
CreateTables.sql
, which can be used to setup your tablesReadMe.txt
, which provides an overview of the SuperScan scriptscanner.php
, the scanning script that requiresconfigure.php
andscandb.php
(which connects to your MySQL server and returns the$scandb
handle)reporter.php
, which will provide a summary of recent scans via CRONCRON.txt
, which provides sample CRON instructions for bothscanner.php
andreporter.php
Cleanup
The $report
is created as the file changes are detected, and is stored and emailed if not a “negative report.” The summary report is used for the “warm, fuzzy feeling” when you’re not receiving change reports.
During the cleanup, history and scanned tables have records older than 30 days are auto‐purged to prevent unlimited growth of the database, the large arrays are destroyed (reset to empty) and the database is closed.
Summary
I believe that SuperScan is a massive improvement over my prior effort, and is a worthy upgrade. It provides frequent notice of changed files, while “negative reports” won’t overwhelm the webmaster with unnecessary “Unchanged” notices.
Download the SuperScan code from GitHub
Acknowledgement
SuperScan was suggested by Han Wechgelaer (NL), who emailed the suggestion that my earlier hashscan script be extended to capture a history of the changes to an account’s files, as well as making more frequent assessments and adding a daily summary.
Han was kind enough to provide a copy of his start on this project and, between us, this evolved into SuperScan. Without Han’s gentle prodding and assistance, SuperScan would never have gotten off the ground and would certainly not be the exceptional tool it is today.
I’d love to know how you find this script, or if you have any questions about it or feedback.
Frequently Asked Questions about Detecting Hacked Files via Cron.php SuperScan
What is Cron.php SuperScan and how does it work?
Cron.php SuperScan is a powerful tool designed to detect and identify hacked files in your system. It works by scanning your system files at regular intervals, typically set by the user, and alerts you if it detects any suspicious or modified files. This tool is particularly useful for webmasters and system administrators who need to maintain the security and integrity of their systems.
How can I set up Cron.php SuperScan on my system?
Setting up Cron.php SuperScan involves uploading the script to your server and configuring it to run at regular intervals. This can be done through your server’s control panel or via command line. Once set up, the script will automatically scan your system files and alert you of any potential threats.
What types of files can Cron.php SuperScan detect?
Cron.php SuperScan is capable of detecting a wide range of file types that are commonly associated with hacking attempts. This includes PHP files, HTML files, JavaScript files, and more. It can also detect hidden files and directories that may be used by hackers to gain unauthorized access to your system.
How does Cron.php SuperScan compare to other file scanning tools?
Compared to other file scanning tools, Cron.php SuperScan offers a more comprehensive and automated solution. While other tools may require manual scanning and analysis, Cron.php SuperScan automates the process, saving you time and effort. It also provides detailed reports of its findings, making it easier for you to identify and address potential threats.
Can Cron.php SuperScan prevent hacking attempts?
While Cron.php SuperScan is an effective tool for detecting hacked files, it does not prevent hacking attempts. Its primary function is to alert you of potential threats so that you can take appropriate action. However, regular use of this tool can help you maintain the security of your system and reduce the risk of successful hacking attempts.
How often should I run Cron.php SuperScan?
The frequency of scans depends on your specific needs and the level of security required for your system. However, it is generally recommended to run Cron.php SuperScan at least once a day for optimal security.
What should I do if Cron.php SuperScan detects a hacked file?
If Cron.php SuperScan detects a hacked file, it is important to take immediate action. This may involve removing the file, restoring it from a clean backup, or contacting a cybersecurity professional for further assistance.
Can I customize the settings of Cron.php SuperScan?
Yes, Cron.php SuperScan allows you to customize its settings to suit your specific needs. This includes setting the scan frequency, specifying which file types to scan, and configuring alert notifications.
Is Cron.php SuperScan suitable for all systems?
Cron.php SuperScan is designed to work with most systems that support PHP. However, it may not be compatible with all systems, so it is recommended to check the system requirements before installation.
Is Cron.php SuperScan free to use?
Cron.php SuperScan is a premium tool, which means it comes with a cost. However, considering the level of security it provides and the potential cost of a successful hacking attempt, it is a worthwhile investment for most businesses and individuals.
DK Lynn is a former instructor pilot and "rocket scientist" now living in New Zealand where he operates a small business developing and hosting web sites.