[TriLUG] OT: Disinfecting a Club's Website

Kevin Hunter Kesling hunteke at earlham.edu
Mon Aug 19 21:52:29 EDT 2013


At 9:11pm -0400 Mon, 19 Aug 2013, Alan Porter wrote:
> One thing I like to do on web sites like this is use "git" to track
> (and revert) changes.
>
> Just "git init" and "git add *" and "git commit -m 'initial copy'"
> to get started.  Then when you think your files have been hacked, you
> can "git diff" to see, and "git checkout *" to revert back to the
> good copies.

I encountered an attack on a similar setup where we only had user-level 
access awhile back.  After consulting this here group, I ended up 
creating an (absolute) kludge until we could get the hosting company to 
clean up it's act (because changing at that time was also not an 
option).  I implemented a very similar solution to Alan's: git + remote 
cron + md5sums.

   * Git: As Alan suggested.

   * Remote cron: i.e., we weren't allowed to run cron on the
     infected machine, so we did it remotely, checking every 10
     minutes via ssh.

   * md5sums: after running the 'git reset --hard' command, the
     ssh+cron setup also compared md5sum:

         $ find . -type f -print0 | sort | xargs -0 cat | md5sum

Since the attack appeared to be automated, the last step with the 
md5sums was perhaps overkill, but it gave me peace of mind (such as a 
comprised account/machine allows, of course) that I would know almost 
instantly if something went further awry.

Good luck,

Kevin


More information about the TriLUG mailing list