[TriLUG] OT: Disinfecting a Club's Website
Kevin Hunter Kesling
hunteke at earlham.edu
Mon Aug 19 21:52:29 EDT 2013
At 9:11pm -0400 Mon, 19 Aug 2013, Alan Porter wrote:
> One thing I like to do on web sites like this is use "git" to track
> (and revert) changes.
>
> Just "git init" and "git add *" and "git commit -m 'initial copy'"
> to get started. Then when you think your files have been hacked, you
> can "git diff" to see, and "git checkout *" to revert back to the
> good copies.
I encountered an attack on a similar setup where we only had user-level
access awhile back. After consulting this here group, I ended up
creating an (absolute) kludge until we could get the hosting company to
clean up it's act (because changing at that time was also not an
option). I implemented a very similar solution to Alan's: git + remote
cron + md5sums.
* Git: As Alan suggested.
* Remote cron: i.e., we weren't allowed to run cron on the
infected machine, so we did it remotely, checking every 10
minutes via ssh.
* md5sums: after running the 'git reset --hard' command, the
ssh+cron setup also compared md5sum:
$ find . -type f -print0 | sort | xargs -0 cat | md5sum
Since the attack appeared to be automated, the last step with the
md5sums was perhaps overkill, but it gave me peace of mind (such as a
comprised account/machine allows, of course) that I would know almost
instantly if something went further awry.
Good luck,
Kevin
More information about the TriLUG
mailing list