June 5 2024

From Malware Cleanup to Continuous Security with Web Hash Scanner

Web Hash Scanner: Bash Script file monitoring software, which ensures the security and integrity of your website by detecting any suspicious changes.

Web-Hash-Scanner

In the modern digital age, where online activities have become the beating heart of many companies, cybersecurity plays a fundamental role. This is the story of one of our clients, an e-commerce company, who experienced a recurring nightmare of malware infections on their WordPress site. When they decided to switch to our services, their system was already significantly compromised by another provider, and our job was not only to offer hosting and optimization, but also to carry out a complete malware cleanup.

The Drama of Persistent Infection

It all started on a hot summer afternoon, when our client contacted us in a panic. Their website, crucial to sales and company reputation, had been compromised by malware. This wasn't the first time this had happened, and despite numerous cleanup and security-enhancing attempts with the previous vendor, the infection kept reappearing. Every time they thought they had solved the problem, new malicious files would pop up out of nowhere, threatening system stability and the trust of their customers.

The attacks recurred with alarming frequency, compromising customer trust and causing significant financial losses. Despite implementing various security measures, the site remained vulnerable. The situation had become unsustainable and the client urgently needed a permanent solution.

The On-Boarding Challenge

When the customer decided to switch to our services, we inherited a system that was already significantly compromised. The first challenge was to carry out a complete cleanup of existing malware. The site had been infested with backdoors and access vectors that allowed attackers to re-infiltrate the system even after a thorough clean. These entry vectors often involved the creation or modification of files, days or weeks after the initial compromise, making the malware extremely difficult to fully detect and remove.

The Search for a Solution

Our team of experts immediately began an in-depth analysis to identify the source of the problem. It was clear that simply removing the malware would not be enough. We needed a system that could constantly monitor file integrity and detect any suspicious changes or the introduction of new unauthorized files. Thus was born the development project of “Web Hash Scanner”, a software entirely based on Bash Shell and SQLite, designed to provide an effective and automated solution for monitoring file changes in a web installation.

The Development of Web Hash Scanner

The software development process involved several phases, each with the goal of creating a robust and reliable solution. The first phase involved defining the software requirements. It had to be lightweight, easy to use and able to run in the background without impacting site performance. Furthermore, it had to be capable of performing a full file scan .js, .css e .php present in the web installation, record the absolute path of the file, the date of last modification and the MD5 hash of the file contents, and compare the results of the current scan with those of a previous scan.

Implementation of the Code

We chose Bash Shell for its flexibility and ease of scripting, and SQLite as the database for its lightness and ease of integration.

Here is the complete software code:

 

#!/bin/bash

# Check if sqlite3 is installed
if ! command -v sqlite3 &> /dev/null; then
echo "sqlite3 is not installed. Please install sqlite3 and try again."
exit 1
fi

# Path of the WordPress installation
DOCROOT_PATH="/home/pathtoyourwebsite/htdocs/"

# Name of the SQLite database
DB_NAME="webhashscan.db"

# Date of the scan
SCAN_DATE=$(date +"%Y-%m-%d %H:%M:%S")

# Create the database and tables if they do not exist
sqlite3 $DB_NAME <<EOF
CREATE TABLE IF NOT EXISTS files (
id INTEGER PRIMARY KEY,
scan_id INTEGER,
file_path TEXT,
file_date TEXT,
file_md5 TEXT,
scan_date TEXT
);
CREATE TABLE IF NOT EXISTS scans (
scan_id INTEGER PRIMARY KEY AUTOINCREMENT,
scan_date TEXT
);
EOF

# Insert a new scan and get the scan ID
SCAN_ID=$(sqlite3 $DB_NAME <<EOF
INSERT INTO scans (scan_date) VALUES ('$SCAN_DATE');
SELECT last_insert_rowid();
EOF
)

# Function to scan files and save data to the database
scan_files() {
local path=$1
find "$path" -type f \( -name "*.php" -o -name "*.js" -o -name "*.css" \) | while read -r file; do
file_date=$(stat -c %y "$file")
file_md5=$(md5sum "$file" | awk '{ print $1 }')
sqlite3 $DB_NAME <<EOF
INSERT INTO files (scan_id, file_path, file_date, file_md5, scan_date)
VALUES ($SCAN_ID, '$file', '$file_date', '$file_md5', '$SCAN_DATE');
EOF
done
}

# Scan files in the WordPress installation
scan_files "$DOCROOT_PATH"

# Compare the current scan with the previous one
compare_scans() {
# Get the ID of the previous scan
PREV_SCAN_ID=$(sqlite3 $DB_NAME <<EOF
SELECT scan_id FROM scans WHERE scan_id < $SCAN_ID ORDER BY scan_id DESC LIMIT 1;
EOF
)

if [ -z "$PREV_SCAN_ID" ]; then
echo "No previous scan found. This is the first scan."
exit 0
fi

# Compare files between the two scans
sqlite3 $DB_NAME <<EOF
.headers on
.mode column
SELECT
f1.file_path AS "File Path",
f1.file_date AS "Current Date",
f2.file_date AS "Previous Date",
f1.file_md5 AS "Current MD5",
f2.file_md5 AS "Previous MD5"
FROM
files f1
LEFT JOIN
files f2
ON
f1.file_path = f2.file_path
AND f2.scan_id = $PREV_SCAN_ID
WHERE
f1.scan_id = $SCAN_ID
AND (f1.file_md5 != f2.file_md5 OR f2.file_md5 IS NULL);
EOF
}

# Perform the scan comparison
compare_scans

echo "Scan completed. Scan ID: $SCAN_ID"

Implementation in the Customer Case

After developing and testing the software, we implemented “Web Hash Scanner” into the client's infrastructure. The first step was to perform a deep clean of the system to remove existing malware. Immediately after, we ran an initial scan with the software to create a snapshot of the system's clean state.

Over the next few days and weeks, we ran periodic scans to monitor the health of the system. Each subsequent scan compared the results to the previous snapshot, allowing us to immediately spot any suspicious changes or the introduction of new files.

A Success Case

On one particular occasion, after a routine scan, the software detected the presence of new .php files and suspicious changes to existing files. Thanks to the detailed report generated by “Web Hash Scanner”, we were able to quickly identify the compromised files and take immediate measures to neutralize the threat. The customer was able to operate with the certainty that any unwanted changes would be detected promptly, reducing the risk of future infections.

Benefits and Results

Thanks to “Web Hash Scanner”, our customer was able to obtain numerous benefits:

  • Continuous monitoring: The ability to constantly monitor file integrity made it possible to promptly detect any reinfection attempts.
  • Reduction of intervention times: Automating the monitoring process has significantly reduced the time needed to identify and respond to new threats.
  • Security Improvement: The customer was able to implement more effective and targeted security measures, improving the overall protection of the system.
  • Increased Customer Trust: Reduced outages and improved safety have helped restore customer trust and improve the company's image.

Conclusion

Our client's story highlights the importance of having a robust, automated system for monitoring file integrity in a web installation. “Web Hash Scanner” has proven to be an indispensable tool for guaranteeing the security and integrity of the system, allowing any attempted infection to be promptly detected and counteracted. If you are also facing similar challenges in managing the security of your website, contact us to find out how “Web Hash Scanner” can help you protect your system and maintain the trust of your customers.

The source code can be found under the AGPL license at the following GitHub address: https://github.com/MarcoMarcoaldi/WebHashScanner

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top