WWW Content Integrity Check

How to detect unathorized changes on WWW webservers.

How to detect unathorized changes on WWW webservers. Detect and remove webshells, track changes. Short and fast script in python.


How to use

Download tool here

Edit script:

1. Change protected directory (dir)
2. (Optional) Enable removing new and changed files. Set remove to 1
3. Run script manually
4. Add script to crontab

When performing authorized change
1. Disable removing files
2. Remove file_db.db - internal file database
3. Run script manually

Auditing
1. Recent changes in log.txt
2. SQL based analysis: Open log_db.db in SQLite browser


First usage result
New file:/var/www/html/img/aws/bgp-map.png 6e3785b84f158de646d300b1a56876f3
New file:/var/www/html/img/aws/r4route.png 212d69e9dbb934d0558d0234a15a8cf9
New file:/var/www/html/img/wanopt/rdp.png be8b998167f8c1da60a551f2cd8c4e2c
New file:/var/www/html/img/wanopt/cifs1.png 6c60fefb55c2688cdd8f8486dd7bdb74
New file:/var/www/html/img/wanopt/cifs2.png 4fa99f97ea2953b3c476107976e1f315
New file:/var/www/html/img/badstore/injectme.png a8e252a43561d455d85f789b5813c288
New file:/var/www/html/img/badstore/db.png dd14b8f1b26a7dc8fdcb8300f7f2eae5
New file:/var/www/html/img/badstore/cred.png 0f5af47296d15a0b898b9c699f29e6bc
New file:/var/www/html/img/pingperf/pingperf4.png cfeefc350ca92ff0aa3133a001c3a536
New file:/var/www/html/img/pingperf/pingperf1.png 33ef3c2a4bb33132e961d73d943c8ba5
New file:/var/www/html/img/pingperf/pingperf3.png 2c96c0222960f5d6595ad8e19a2a6b3f



Detected changes:
File changed:/var/www/html/time-destroyer.html 0719399de06f9a7498704e44d67e0716
New file:/var/www/html/xxx.php d41d8cd98f00b204e9800998ecf8427e
Missing file:/var/www/html/category/.html 8c50728c62a8e71a23a6930200bf07f9