I am trying to improve or looking to replace or complement a ruby script that some other person has written some years ago. The script crawls a given set of websites that I want to monitor and it searches for certain keywords that could indicate that the website has been hacked. I want to do that at least on a daily basis, so if something slipped past our other protections I would have at least have a chance to detect the breach before others do.

Example signatures that the script supports currently are:

• URLs with TLDs that I would not expect on our websites (.cn, .ru, .br and others), especially if it is pointing to a javascript
• hidden iframes and the like
• keywords like "cialis",  "viagra", "generica", "hacked", "pwned"

One problem is to find a set of keywords or signatures that does not generate too many false positives but still catches a good deal of what's detectable.

Does anybody in this forum know a good source for these keywords and signatures?

The second problem or task would be to take the script beyond simple keyword search.

But maybe I could just use one of the low interaction honeypots out there for this task?

What experiences have you got with tools like honeyC, phoneyC, Monkeyspider and others? 

How much load do these programs generate on the servers they crawl?

Can they be safely used in larger environments?

Thanks for sharing your ideas, insight and knowledge. :)