Monitor web server directories for changed / new files

Question

TL;DR: Is there an easy why to monitor directories for new/changed/deleted files?

Details: A simple WordPress website on a virtual server got hacked. Nothing too serious. No important project / data and no real damage. It seems that the some exploit was used to insert some code which allowed to alter some existing files and create new ones.

This should obviously be avoided in the future. Beside the obvious steps (change all passwords, update all software, etc.) I thought about monitoring the web files for changes. Of course this would prevent a new attack but at least it could help to detect it faster. So, while this is should certainly not be the only security measure, it could be a small part of overall security.

Most web files are static and do not change. Beside some log files no new files are created and now existing files are removed during the regular usage.

So, if any files are changed, removed or added, this could be due to an attack. Is there any existing tool to monitor this automatically?

It would be enough to create a list of all current files with there hash values and re-run this test in certain intervals. If any change is detected a notification is send.

Before re-inventing the wheel I wonder if there is already a tool out there, which does this job.

Answer 1

You may use two tools to manage integrity and monitor file operations.

For integrity you can try AIDE which will warn you when some file is changed

For activity you can use audit subsystem. For example command:

auditctl -w /etc/hosts -p w -k monitor-hosts

will add rule to monitor writes of /etc/hosts file

Answer 2

I would rather suggest to put a WAF(Web Application Firewall) in front of the WordPress site decrease the chance that an threat actor is able to abuse the WordPress site. A free option would be ModSecurity with Nginx or Apache. If a threat actor already changed a file your essentially too late because you don't know what else he might have changed. A WAF filters the http/https traffic and blocks any malicious patterns before it even reaches the servers. Of course you can't prevent zero day attacks with it, but a WAF is a much better protection in my opinion than keeping an eye on changed files. WordPress has also a database which can be abused by sending database queries and if look only at changed files you miss that.

Answer 3

Notable that you didn't mention what operating system this runs on - this is rather an important consideration when dealing with security matters and choosing software to install.

For the question you asked there are lots of tools available. Your local search engine will give you lots of suggestions, and if you explicitly search for "host-based intrusion detection system" many of the answers will be relevant. Obvious candidates are osiris, tripwire, integrit, samhain, debsums and tiger. But before you do that, you can easily set up your own crude script:

#!/bin/bash

CHECKFILE="/var/run/webfiles"

find /var/www/html -newer "$CHECKFILE" >/tmp/newfiles$$
if [[ -s "/tmp/newfiles$$" ]] ; then
   cat "$CHECKFILE" | mail -s "File changes" [email protected]
fi
touch "$CHECKFILE"

or, simply inline from cron:

find /var/www/html -newer /var/run/webfiles ; touch /var/run/webfiles ; false

.....however, this is the XY problem. Wordpress is insecure by design - it is self modifying code AND uses the same channel for controlling modification as for normal use. While the base package does a valiant job in keeping these concerns separate, plugins vary a lot in quality. And even without these considerations, detection is not nearly as valuable as prevention.

Beside the obvious steps

...which includes making all the PHP and javascript files read-only (at least to the webserver uid) between deployments?