d3tm4r

searching for hacked websites

I am trying to improve or looking to replace or complement a ruby script that some other person has written some years ago. The script crawls a given set of websites that I want to monitor and it searches for certain keywords that could indicate that the website has been hacked. I want to do that at least on a daily basis, so if something slipped past our other protections I would have at least have a chance to detect the breach before others do.

 

Example signatures that the script supports currently are:

  • URLs with TLDs that I would not expect on our websites (.cn, .ru, .br and others), especially if it is pointing to a javascript
  • hidden iframes and the like
  • keywords like "cialis",  "viagra", "generica", "hacked", "pwned"

One problem is to find a set of keywords or signatures that does not generate too many false positives but still catches a good deal of what's detectable.

Does anybody in this forum know a good source for these keywords and signatures?

 

The second problem or task would be to take the script beyond simple keyword search.

But maybe I could just use one of the low interaction honeypots out there for this task?

 

What experiences have you got with tools like honeyC, phoneyC, Monkeyspider and others? 

How much load do these programs generate on the servers they crawl?

Can they be safely used in larger environments?

 

Thanks for sharing your ideas, insight and knowledge. :)

Tags: crawler, honeypot, spider

Views: 65

Reply to This

Replies to This Discussion

d3tm4rPermalink Reply by d3tm4r on February 27, 2011 at 7:10am

This Honeyspider project seems to be promising: http://www.honeyspider.net/

 

d3tm4rPermalink Reply by d3tm4r on February 27, 2011 at 7:30am
That Honeyspider is looking really interesting. But for detecting if our own websites got hacked, it's a little bit too complex and kind of over the top. I was looking for something more easy to start with.

Reply to Discussion

RSS

Latest Activity

Profile Icon
Opaquel updated their profile Friday
Profile Icon
Opaquel is now a member of Dissecting The Hack Friday
Welcome Them!
Profile Icon

Is Open Proxy safe ??

Hi All,I am new to security and also new to linux ,i moved to a country for work ,but sadly this country has lot of filtering on web content and i end up disappointed when browsing net. So i decided to choose an open proxy to bypass my ISP  ,but i am little bit paranoid because i think i might end up using a fake proxy which can capture my traffic and i end up hacked. Also i could not r&d on this because most this proxy site lists are also blocked. So i need some help please.Could some one…See More
Discussion posted by kranthi Feb 14
0 Comments
Profile Icon

Your argument is invalid! Cause I'll give you a hard time if you insist on it.

Today I read a blogpost by Fefe in which he rants about how folks just give up on trying to develop more secure code or even fix all bugs in their software but instead draw resources from bugfixing teams in benefit of building mitigations like sandboxing technologies. Fefe criticizes Adobe's security chief Arkin for saying the following sentence:“My goal isn’t to find and fix every security bug, I’d like to drive up the cost of…See More
Blog post by d3tm4r Feb 11
0 Comments

© 2012   Created by Marcus J. Carey.   Powered by .

Badges  |  Report an Issue  |  Terms of Service