Press "Enter" to skip to content

Protect your web pages – automagically with perl

After a recent incident of some piss poor script kiddie defacing one of of my websites I wote a quick and dirty little perl script to both monitor and repair things should it happen again. (thus giving me much more narrow window of server logs to check to find the exploit or whatever allowed it to happen in the first place).

Here’s how it works in a nutshell, the site’s content is completely dynamic, however the php script to generate it is static..

  • $file1 is the working page
  • $file2 is the name of the known good page
  • generate a checksum of the two files, the output will be a string of numbers followed by a character count and the filename checked.
  • compare the first 10 digits of the checksum of the returned string (adjust to suit your needs)
  • if they are different run ‘page’ (sends an email to my cell/pager) and ‘repair’ (renames the bad file appending the date/time then copies the known good file to replace the defaced one)
  • otherwise exit
  • Pretty simple, and I’m certain my code could be optimized to run a lot cleaner (if you want to submit a cleaner version by all means post it in the comments!) In the interim this works.
    ###Dave Cochran
    $file1 = “index.php”;
    $file2 = “index.good”;
    $diff1=`cksum $file1`;
    $diff2=`cksum $file2`;
    $diff1value = substr($diff1, 0, 9);
    $diff2value = substr($diff2, 0, 9);
    if ($diff1value != $diff2value)
    #print “no difference in file checksums.”;
    #uncomment the line above for testing

    sub page
    # sendmail routine source from
    use Time::localtime;
    open (OUT,”|/usr/sbin/sendmail -t”);
    print OUT “From: you@yourdomain.comn”;
    #remember to escape the @
    print(OUT “Date: “.ctime().”n”);
    print(OUT “To: email@youremailorpager.comn”);
    #remember to escape the @
    print(OUT “Subject: Index.php changed!n”);
    print(OUT “n”);
    print(OUT “index.php has been changed!n”);
    } # end sub page

    sub repair
    use Time::localtime;
    use File::Copy;
    rename($file1, $file1.ctime()) || die “Cannot rename file.txt: $!”;
    copy($file2, $file1) or die “File cannot be copied.”;
    } # end sub repair

    This will require two perl modules Time::localtime and File::Copy which are generally installed with the perl bundle by default, if not get them from CPAN or contact your host.

    Simply run the script I called via cron or whatever means you wish as often as you want to check the page. Personally every 5 mins works out pretty good for me.

    Feel free to use the code above as you will, modify it to suit your needs, be it to protect your web pages, files, or whatever. If you find it useful, please send $$$, or just a thanks.