Portal Home > Knowledgebase > Articles Database > Website Deface Detection?


Website Deface Detection?




Posted by v33usa, 03-31-2016, 04:29 PM
We're a web design/web development agency, and we work Primarily with Wordpress. Websites seldom get hacked/defaced, and we would like to be notified when that happened. We could pay for Sucuri but that would cost $19/website, and we host hundreds of websites so that's not an option. Is there any service that we're not aware of, that can detect defacement of websites? Currently what we're doing is, adding every website to UptimeMonitor, with keywords present on the websites. When a site gets defaced, the keyword is gone, and then we get notified. While this works, UptimeRobot just can't read keywords on some websites and we're not sure why, plus it would be nice to have a service that's specific for this. If there's no such a service, that's cool, I'm just wondering if there is but it passed under our radar. Please no server security lectures, we all know that even a well secured server will get exploited eventually. Thanks!

Posted by bear, 03-31-2016, 05:31 PM
Some security plugins for WP will also watch for changed files. Here's one of those you might want to try: https://wordpress.org/plugins/better-wp-security/

Posted by madRoosterTony, 03-31-2016, 05:43 PM
Why not have a simple php script written that checks a couple key files against an MD5 hash. If the hash is different it notifies you? My guess is if you do not have the ability to write this in house, you could have it written for less then $20 and then its just a simple upload and setting of a cron script to run every so often.

Posted by v33usa, 03-31-2016, 05:58 PM
Thanks for the input. We have used that, but we get flooded with emails all the time as every single plugin update and wordpress update changes a lot of files. Check for an MD5 hash is a great idea, much better than checking for keywords. While a script is simple to make, we were looking for something more than that, with a full gui and notifications. Just not trying to reinvent the wheel coding something that already exists. Seems like there isn't anything like this in the market though.

Posted by net, 03-31-2016, 06:14 PM
Why wait to get defaced when you can prevent it? I would recommend putting modsecurity with good rules on this ( contact your host ). Then, use TAC and Exploit Scanner for wordpress to check files and themes for any potentials infected files. Mostly, spam comes from Theme plugin.

Posted by v33usa, 03-31-2016, 06:19 PM
Servers are using Comodo WAF modsecurity rules, along with CXS being installed on all servers. Still, some websites do get defaced now and then. It's not often, but it's annoying that we don't know when it happens and the customer gets worried. Note that a defacement can just be an index.html file being put in public_html, with a bunch of nonsense in it. These .html files won't trigger TAC as they aren't exploits, just annoyances.

Posted by SenseiSteve, 03-31-2016, 06:22 PM
Just took a look at Exploit Scanner since this was new to me. Saw almost as many one star reviews as five star reviews. Has this worked well for you?

Posted by v33usa, 03-31-2016, 06:47 PM
Actually we haven't used TAC, but we use Wordfence and I'd recommend it. It has helped us tremendously at finding infected files, modified core Wordpress files, etc. https://wordpress.org/plugins/wordfence/ 2515 5 star reviews and only 50 1 star reviews. Make sure to go on the plugin's settings and enable malware scan on the plugins and themes folders (It's disabled by default).

Posted by UNIXy, 04-01-2016, 05:30 AM
It's not just file changes that you have to worry about, it's also SQL changes (SQL injection). The change is ultimately visible in the final output of a page or HTML. But not all HTML output changes mean a site has been hacked. The Vary header can result in detectable HTML output changes with a large number of permutation depending on the device, browser, etc. There are so many false positives to deal with. Then you have to anticipate obscure and weird corner cases of the web. If I were to build such system myself with limited time and budget, I'd look for one or more APIs that will help me get it done quicker. One API is Google Webmaster's. It has the heuristics engine to detect a defaced website. It'd probably take a couple of weeks to get something out quickly. Hmm.. This reads like a fun project to work on by the way!

Posted by Chaddy, 04-01-2016, 07:28 AM
Just use CXS it gets rid of most things. Get decent security / server admin staff who have a clue of what they are doing.

Posted by WPCYCLE, 04-01-2016, 09:57 AM
This a band-aid fix. There is such a service...it's called a skilled team or individual. As Net mentioned, why wait for the situation to occur....why not prevent. Server security and WordPress security are completely different. A server could be a solid rock with no way of getting in, but a single hole in WordPress will still allow someone to get in. 1. Do you have any records on how they got in? 2. Have you studied such records and implemented ways for others to not get in? It's true that nothing is 100%, but relying on a plugin for security is about 5 steps too late....and waiting for an uptime monitor to report such an issue is about 15 steps too late. By the time the monitor pickups on the missing word and alerts you, a WordPress site could have cycled through tens of thousands of attacks. Also in terms of uptime...there is one service that I've seen a client use with their host which also reports if keywords go missing (classic WordPress white screen)...but it also sent a lot of false positives due to a few other factors, but the best method to addressing the issue....find out what caused the white screen and fix it. Zero whitescreen uptime reports now.

Posted by UNSYS, 04-01-2016, 10:46 AM
WOW, that is an odd way knowing your site is screwed The best way to secure your WP sites is to make sure everything is up to date. (Esp with plugins and theme). Then you need to use some "best security practices" for your WP sites. (securing wp-admin, protection against attacks, regular scanning etc) If you have server access (i.e. root access) you can make your life a lot easier. And lastly, backups backups backups No matter where you hosted or how many backups your host has, you got to have your own backups. I agree, costs with Sucuri can go insane if you too many sites. (We using it only for some high end clients in addition to other key security setups) If you find it difficult to do all that yourself, may be hire someone for a helping hand.

Posted by Srv24x7, 04-01-2016, 11:01 AM
Hi, You could use something like Patchman to actually monitor all the websites and then potential get notified in terms of any notorious activity. Check the below link. http://patchman.co/

Posted by UNSYS, 04-01-2016, 11:17 AM
I have not seen many people using it. Only a few mentioned of this here in WHT. Nothing much on their site either (other than a fancy site) I sent them two emails when I saw blog post on cP. Never got a reply back from them and well .. that's about it.

Posted by Srv24x7, 04-04-2016, 10:59 AM
This is a new product and this is being coming into practice now. You may have not seen many people, because people with one or two servers will not go with any paid applications for security, this is being used by webhoster having 100s of servers and are well-established. I think you should use it to actually check it.

Posted by Eased, 04-04-2016, 12:52 PM
Why not just setup transactional monitoring to parse for a particular string on a page? Silly easy to setup. If string is not found = alert. Doubles as both a website is not working and defacement alert.

Posted by SneakySysadmin, 04-04-2016, 03:12 PM
If you haven't updated Wordpress in the last 48 hours... just assume that it happened. That's not even really a joke anymore. No, actually. They won't be. Shared hosting? Yes - because you can't control what users install, but a well secured non-shared server is not going to be compromised any time soon. I have a double handful of web servers right now I can point at that are going on 20 years without having a compromise. ... of course, none of them have Wordpress installed. Edit: By the way, there's an easier way. Don't try and parse the HTML. That can get to be far too much because of javascript, dynamic content, database calls etc. A far easier method is something like Tripwire (Google it). If your files change, you'll know it.

Posted by v33usa, 04-04-2016, 03:19 PM
Oh my god, I should've known that people on this forum would just skip what I asked in the OP: Servers are secured, all Wordpress sites are secured, and still we got hit a few months ago having a few sites being defaced because Revolution Slider, a plugin that's used on 99% premium themes and has 100k sales on themeforest.net, shipped with a freaking code injection vulnerability.. on their latest version. Not to mention several other plugins and themes that are coded recklessly and do ship with vulnerabilities. In these cases we just restore backups from our R1Soft node and patched the Revolution Slider vulnerability. I doubt, I really do doubt that any server admin here manages hundreds of sites in a server in which he/she has no control over the sites, and never ever had 1 site being exploited. Ya'll misinterpreting, we're not just setting up a defacement watcher and just chilling until something bad happens, as @WPCYCLE said: We just want to be the first to know, that even with all the security procedures in practice, someone managed to get in and do something bad. Not all sites can be upgraded. We have a client running a Joomla 1.5 CRM system they custom built and any upgrade attempt just breaks everything. They're migrating it to Joomla 3 but meanwhile what else can we do besides wait and make dozens of mod_security rules specifically for that problematic site? The same is true for several other Wordpress sites. I doubt any shared hosting here with hundreds of tenants have all of their Wordpress and scripts installations in the latest version possible, all the times. Thank you for the suggestion, we've started developing something but I'll check them out.

Posted by v33usa, 04-04-2016, 03:20 PM
You missed the point. Just read my last post.

Posted by bear, 04-04-2016, 04:36 PM
You have server hardware from 1996 running?

Posted by WPCYCLE, 04-04-2016, 04:52 PM
It's running DOS. I don't think anyone is trying to exploit or hack into it. Welcome to WHT. I'm only going by what you typed. You said one thing, and once everyone called you out on it, you're now saying something else. Just say the something else to begin with Plus...there's so many that comes on here asking for help, and will admit to not being fully knowledgeable on the subject, but yet will need help from others, for free, while red flags are raised since that the person is being paid to provide a service and their customers do not realize they have no clue what they're doing. Or...once advice is given, they yell at everyone, and come back in 3 weeks about being hacked/exploited...blaming the host in the process.

Posted by v33usa, 04-04-2016, 05:52 PM
What did I say that I changed after being called out?? I didn't even know I was being 'called out'

Posted by net, 04-04-2016, 09:49 PM
thread closed per OP's request.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Atjeu is down? (Views: 368)