Table of contents of the article:
In the modern digital age, where online activities have become the beating heart of many companies, cybersecurity plays a fundamental role. This is the story of one of our clients, an e-commerce company, who experienced a recurring nightmare of malware infections on their WordPress site. When they decided to switch to our services, their system was already significantly compromised by another provider, and our job was not only to offer hosting and optimization, but also to carry out a complete malware cleanup.
The Drama of Persistent Infection
It all started on a hot summer afternoon, when our client contacted us in a panic. Their website, crucial to sales and company reputation, had been compromised by malware. This wasn't the first time this had happened, and despite numerous cleanup and security-enhancing attempts with the previous vendor, the infection kept reappearing. Every time they thought they had solved the problem, new malicious files would pop up out of nowhere, threatening system stability and the trust of their customers.
The attacks recurred with alarming frequency, compromising customer trust and causing significant financial losses. Despite implementing various security measures, the site remained vulnerable. The situation had become unsustainable and the client urgently needed a permanent solution.
The On-Boarding Challenge
When the customer decided to switch to our services, we inherited a system that was already significantly compromised. The first challenge was to carry out a complete cleanup of existing malware. The site had been infested with backdoors and access vectors that allowed attackers to re-infiltrate the system even after a thorough clean. These entry vectors often involved the creation or modification of files, days or weeks after the initial compromise, making the malware extremely difficult to fully detect and remove.
The Search for a Solution
Our team of experts immediately began an in-depth analysis to identify the source of the problem. It was clear that simply removing the malware would not be enough. We needed a system that could constantly monitor file integrity and detect any suspicious changes or the introduction of new unauthorized files. Thus was born the development project of “Web Hash Scanner”, a software entirely based on Bash Shell and SQLite, designed to provide an effective and automated solution for monitoring file changes in a web installation.
The Development of Web Hash Scanner
The software development process involved several phases, each with the goal of creating a robust and reliable solution. The first phase involved defining the software requirements. It had to be lightweight, easy to use and able to run in the background without impacting site performance. Furthermore, it had to be capable of performing a full file scan .js
, .css
e .php
present in the web installation, record the absolute path of the file, the date of last modification and the MD5 hash of the file contents, and compare the results of the current scan with those of a previous scan.
Implementation of the Code
We chose Bash Shell for its flexibility and ease of scripting, and SQLite as the database for its lightness and ease of integration.
Here is the complete software code:
#!/bin/bash # Check if sqlite3 is installed if ! command -v sqlite3 &> /dev/null; then echo "sqlite3 is not installed. Please install sqlite3 and try again." exit 1 fi # Path of the WordPress installation DOCROOT_PATH="/home/pathtoyourwebsite/htdocs/" # Name of the SQLite database DB_NAME="webhashscan.db" # Date of the scan SCAN_DATE=$(date +"%Y-%m-%d %H:%M:%S") # Create the database and tables if they do not exist sqlite3 $DB_NAME <<EOF CREATE TABLE IF NOT EXISTS files ( id INTEGER PRIMARY KEY, scan_id INTEGER, file_path TEXT, file_date TEXT, file_md5 TEXT, scan_date TEXT ); CREATE TABLE IF NOT EXISTS scans ( scan_id INTEGER PRIMARY KEY AUTOINCREMENT, scan_date TEXT ); EOF # Insert a new scan and get the scan ID SCAN_ID=$(sqlite3 $DB_NAME <<EOF INSERT INTO scans (scan_date) VALUES ('$SCAN_DATE'); SELECT last_insert_rowid(); EOF ) # Function to scan files and save data to the database scan_files() { local path=$1 find "$path" -type f \( -name "*.php" -o -name "*.js" -o -name "*.css" \) | while read -r file; do file_date=$(stat -c %y "$file") file_md5=$(md5sum "$file" | awk '{ print $1 }') sqlite3 $DB_NAME <<EOF INSERT INTO files (scan_id, file_path, file_date, file_md5, scan_date) VALUES ($SCAN_ID, '$file', '$file_date', '$file_md5', '$SCAN_DATE'); EOF done } # Scan files in the WordPress installation scan_files "$DOCROOT_PATH" # Compare the current scan with the previous one compare_scans() { # Get the ID of the previous scan PREV_SCAN_ID=$(sqlite3 $DB_NAME <<EOF SELECT scan_id FROM scans WHERE scan_id < $SCAN_ID ORDER BY scan_id DESC LIMIT 1; EOF ) if [ -z "$PREV_SCAN_ID" ]; then echo "No previous scan found. This is the first scan." exit 0 fi # Compare files between the two scans sqlite3 $DB_NAME <<EOF .headers on .mode column SELECT f1.file_path AS "File Path", f1.file_date AS "Current Date", f2.file_date AS "Previous Date", f1.file_md5 AS "Current MD5", f2.file_md5 AS "Previous MD5" FROM files f1 LEFT JOIN files f2 ON f1.file_path = f2.file_path AND f2.scan_id = $PREV_SCAN_ID WHERE f1.scan_id = $SCAN_ID AND (f1.file_md5 != f2.file_md5 OR f2.file_md5 IS NULL); EOF } # Perform the scan comparison compare_scans echo "Scan completed. Scan ID: $SCAN_ID"
Implementation in the Customer Case
After developing and testing the software, we implemented “Web Hash Scanner” into the client's infrastructure. The first step was to perform a deep clean of the system to remove existing malware. Immediately after, we ran an initial scan with the software to create a snapshot of the system's clean state.
Over the next few days and weeks, we ran periodic scans to monitor the health of the system. Each subsequent scan compared the results to the previous snapshot, allowing us to immediately spot any suspicious changes or the introduction of new files.
A Success Case
On one particular occasion, after a routine scan, the software detected the presence of new .php files and suspicious changes to existing files. Thanks to the detailed report generated by “Web Hash Scanner”, we were able to quickly identify the compromised files and take immediate measures to neutralize the threat. The customer was able to operate with the certainty that any unwanted changes would be detected promptly, reducing the risk of future infections.
Benefits and Results
Thanks to “Web Hash Scanner”, our customer was able to obtain numerous benefits:
- Continuous monitoring: The ability to constantly monitor file integrity made it possible to promptly detect any reinfection attempts.
- Reduction of intervention times: Automating the monitoring process has significantly reduced the time needed to identify and respond to new threats.
- Security Improvement: The customer was able to implement more effective and targeted security measures, improving the overall protection of the system.
- Increased Customer Trust: Reduced outages and improved safety have helped restore customer trust and improve the company's image.
Conclusion
Our client's story highlights the importance of having a robust, automated system for monitoring file integrity in a web installation. “Web Hash Scanner” has proven to be an indispensable tool for guaranteeing the security and integrity of the system, allowing any attempted infection to be promptly detected and counteracted. If you are also facing similar challenges in managing the security of your website, contact us to find out how “Web Hash Scanner” can help you protect your system and maintain the trust of your customers.
The source code can be found under the AGPL license at the following GitHub address: https://github.com/MarcoMarcoaldi/WebHashScanner