I am running different web pages on a couple of different shared hosting / webspace servers. So I do not have root access to the servers but only do my webspace root/home dir and very limited user rights.
One of my WordPress based pages has recently been hacked. It seems that some vulnerability has been exploited to get access to the webspace to abuse it for spam mailings.
I am well aware that security updates are the best defense again such attacks and that the server admin has the best tools and options to detect and to avoid any new attacks.
However I would like to add another line of defense. Of course the possibilities are limited within the access restrictions. But all the attacker did, was do change/add a lot of .htaccess files to serve his purpose.
Is there any security tool, that is able to scan the webspace for suspicious changes in the file system? Maybe a simple PHP script that can detect new or changed files and notify me?
In theory this sounds quite easy to implement. But maybe there are arguments against such a solution?
There are many plugins from wordpress designed to help you with this, I like the ability to use cron on my servers to write scripts and set up my own checks but as you do not have this feature on your hosted servers you might want to have a look at the following:
Firstly, there is this tool from Google to check if your site has been pwned http://www.google.com/safebrowsing/diagnostic?site=<YourSiteAddress>
Some other plugins that you might want to take a look at/install is:
https://wordpress.org/plugins/exploit-scanner/
https://wordpress.org/plugins/sucuri-scanner/
https://wordpress.org/plugins/wordfence/
Hope this helps! Stay Secure!
Thanks,
//P
There are some things to keep in mind. First of all, you need a base-line. The first state, which you want to compare with. Every single file needs to be indexed, hashed, registered.
The next thing is: you need a way to scan all your files. It's possible to do this with a script, but because you're on shared hosting, a cli-script will be a little difficult. So scanning can only be done through a browser, which has timeouts and things like that.
You also have to check for every file that is in your index, but also every file that is not in your index. Caching can be an enemy. If you have something like that, how do you control this? Exlude the directory? What if that directory is used for spamming?
It's possible. There are solutions for it. But on shared hosting, without access to a cli to make a cronjob, to have filesystem-tools, it's difficult.
Fortunately, you won't need to deal with the access restrictions of the shared hosting to achieve what you need. Just install the WordFence plugin via wp-admin, check/edit the default settings of the plugin and scan your site with it. (It also offers several other features, including some limited functionality to repair the infected files.)
https://wordpress.org/plugins/wordfence/
I would build something around a hash value (checksum) of the file and keep a database table about them. If a checksum changes without external (intended) action, the file would be compromised.
For that I would use PHP's method md5_file (http://php.net/manual/de/function.md5-file.php)
