I am trying to improve or looking to replace or complement a ruby script that some other person has written some years ago. The script crawls a given set of websites that I want to monitor and it searches for certain keywords that could indicate that the website has been hacked. I want to do that at least on a daily basis, so if something slipped past our other protections I would have at least have a chance to detect the breach before others do.

 

Example signatures that the script supports currently are:

  • URLs with TLDs that I would not expect on our websites (.cn, .ru, .br and others), especially if it is pointing to a javascript
  • hidden iframes and the like
  • keywords like "cialis",  "viagra", "generica", "hacked", "pwned"

One problem is to find a set of keywords or signatures that does not generate too many false positives but still catches a good deal of what's detectable.

Does anybody in this forum know a good source for these keywords and signatures?

 

The second problem or task would be to take the script beyond simple keyword search.

But maybe I could just use one of the low interaction honeypots out there for this task?

 

What experiences have you got with tools like honeyC, phoneyC, Monkeyspider and others? 

How much load do these programs generate on the servers they crawl?

Can they be safely used in larger environments?

 

Thanks for sharing your ideas, insight and knowledge. :)

Views: 431

Reply to This

Replies to This Discussion

This Honeyspider project seems to be promising: http://www.honeyspider.net/

 

That Honeyspider is looking really interesting. But for detecting if our own websites got hacked, it's a little bit too complex and kind of over the top. I was looking for something more easy to start with.
Hello,

I'm not sure if you know of Zone-H and their archive of defaced websites.
It is possible that you may be able to glean some additional keywords or specific filetype names that get uploaded / replaced after a comprimise.

http://www.zone-h.org/archive?zh=1

Hopefully this might help.

Reply to Discussion

RSS

Latest Activity

Eleni Drier is now a member of Dissecting The Hack
May 13
Robert Anthony is now a member of Dissecting The Hack
May 8
Profile Iconbest hacker and Zadkin Mangum joined Dissecting The Hack
May 5
fruemile is now a member of Dissecting The Hack
Apr 29

Stratagem 13 News Feed

© 2017   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service