Detecting Defaced Websites with OSSEC

HackedIn the scope of the OSSEC Week, here is a quick contribution which can greatly help you to monitor suspicious changes on a website. Today, your corporate website is the very first contact you have with your customers, partners, press, etc. It’s your window to the world. Nobody can pretend being fully protected against defacement or intrusions. It’s important to be alerted as soon as possible when something “suspicious” occurs. It’s never a good story to be alerted by a third party that you’ve been hacked…

OSSEC integrates by default a FIM (“File Intregrity Monitoring“) feature which can be used to detect changes in files on your web servers. But sometimes, those servers are outsourced or not fully controlled from A to Z by you or your team. Anyway, OSSEC can detect changes in remote files via another feature called “full_command“. How?

In your ossec.conf, define a new “file” entry like this:

  <localfile>
    <log_format>full_command</log_format>
    <command>wget -o /dev/null -O - http://www.company.com | sha1sum</command>
  </localfile>

This command will grab the homepage of www.company.com and compute its SHA1 digest. Now, define a new alert in local_rules.xml:

<rule id="123456" level="8">
    <if_sid>530</if_sid>
    <match>ossec: output: 'wget -o /dev/null -O - http://www.company.com</match>
    <check_diff />
    <description>Change detected on www.company.com.</description>
</rule>

Of course, you can detect changes on specific files:

  <command>wget -o /dev/null -O - http://www.company.com/file.xml | sha1sum</command>

Or on a group of files read from another one:

  <command>for I in `cat files.tmp`; do wget -O - -o /dev/null http://site.be/$I | sha1sum; done</command>

Do you need to track changes related to your BGP Autonomous System? Use this one:

  <command>whois -h whois.ripe.net as12345 | sha1sum</command>

Use your imagination! There are tons of other examples with the “full_command” OSSEC feature. Remember: As soon as you detect a problem, as soon as you fix it! Just one last remark, most websites integrated dynamic content like banners, newsfeed. Select carefully which changes you need to track otherwise, you will be flooded by false positive alerts!

 

One comment

  1. Hi Authors,
    Your technique helps me very much. But i have a this solution that need you help.

    In my ossec.conf, i add 2 with 2 different domain:

    full_command
    curl http://siteA.com/ | grep title | sha1sum
    5

    full_command
    curl http://siteB.com/ | grep title | sha1sum
    5

    And in Local_rules, i defined 2 rules:

    530
    ossec: output: ‘curl http://siteA.com/ | grep title | sha1sum

    Change detected on http://siteA.com/.

    530
    ossec: output: ‘curl http://siteB.com/ | grep title | sha1sum

    Change detected on http://siteB.com/.

    And the result is that the rule id 100001 always trigger. So is there any solutions that check many sites defacing?
    Thanks you

Leave a Reply

Your email address will not be published. Required fields are marked *