Simon icon Simon
Flexible server monitoring

Malware Site Monitoring

Sorry if this has been asked over & over - I couldn't find a way to search the forum.

I want to be able to scan files for changes and look for new files/folders on my hosting account (contains multiple domains).

What is the best way to do this?

If with Simon - what settings / function do I use? I've tried the http but that seems to give changes every minute or shows the site as unavailable when it is available.

For the new files - do I use the ftp script add on?
Sorry I'm new to Simon and can't figure it out in the time I have to implement a solution.

David Sinclair's picture

Re: Malware Site Monitoring

There's a search box at the bottom of every page, but I'm happy to answer questions.

I'm not entirely sure what you're after, but if you want to monitor your website's pages for changes by hackers, the Web (HTTP) service would be perfect. If the page content is dynamic, you can use the Smart Change Detection feature (soon to be replaced by a more versatile Filter feature in version 2.6) to examine a relevant static portion of the page.

If you want to look for new files or folders, you could use the FTP Directory Listing service, again looking for changes.

If you need something more flexible, you could write a PHP or Perl script (either locally or on your server) to check whatever attributes you want and have Simon use that to monitor.

Hope this helps.

Re: Malware Site Monitoring

Yes this is what I want to do - (filter for possible web hacks)

A few questions for you:

- Do i have to do a web filter for every domain on the hosting account or can a web HTTP service be configured for say the public_html folder so any change to any domain would be seen?

- If possible for public_html folder will this still trigger false stats for page views?

- If I have to do one domain at a time (arghh!) how can I get Simon to scan every page on the domain for changes without giving false page view stats (say with Google analytics)?

- What settings should I use (ie post / get) and what section - I want to monitor both headers for eval code and content for iframe attacks...

- no idea about PHP / perl scripts (my head is about to explode with all the information I have had to review regarding cleaning & protecting my hosting account / domains from a malware attack) so I'll leave that bait alone right now :)

Any word on when 2.6 will be coming out?

Thanks so much for your response.

David Sinclair's picture

Re: Malware Site Monitoring

Each test checks one thing, be it a web page, FTP directory listing, ping, etc. So unfortunately you'd need to add separate tests for each page you want to monitor.

I have had one or two requests for a service that scans all pages on a site, and I'll probably add that in due course, though it isn't currently scheduled.

To avoid false page views, just set the checking frequency to something infrequent. Maybe once a day, or every few hours, depending on how quickly you want to be notified.

2.6 is currently scheduled for beta in June and general release in July.

Re: Malware Site Monitoring

If I need a separate test for each web page / ftp listing I don't think that this is suitable at all for this task. It's a shame as I thought I had found what I needed :o

Thanks for your replies though

- if you do ever add this feature please let me know - I (and no doubt countless others) would be keen. Mac software to combat the growing threat of server malware attacks is hard to find.

David Sinclair's picture

Re: Malware Site Monitoring

I'm sorry I can't offer a better solution for your needs at this time.

If you don't find anything better, Simon may still be useful as a spot check — have a few tests monitoring a few key pages. If your site is hacked, they'd likely hack the home page more than any other page, so just monitoring the home page is probably sufficient.

Regarding the site-wide check service idea, the primary purpose of that would be to check that links work. Checking for changes on all pages makes things more complex, since you'd likely only want to look at static portions of each page. Though I could perhaps output the combined source of all pages, and use the more advanced Filters feature in 2.6 to examine relevant portions.

I do value all feedback. If there's something Simon can't do, or can't do as conveniently as one might desire, I listen and consider ways to accommodate such requests (while keeping the overall vision of the app in mind).

Re: Malware Site Monitoring

Thanks David.

I am having trouble using the HTTP at all for this purpose.

It gives constant changes - with either source or header selected in smart change detection.

Adding the Start / End Text (ie to | respectively) gives me 'site down' error in Simon.

If I remove smart detection will the headers still be scanned? Will I be alerted if something changes? NO I just tested this and changing the header doesn't give an alert with smart detection off.

So my question again is - how do I use smart detection to scan the headers to tell me if any code is inserted without giving me changes everytime Simpn checks (things like Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635↩Content-Encoding: gzip↩Vary: Accept-Encoding↩Cache-Control: no-store, no-cache, must-reva)?
It's a php part of the site - which is the main place hackers try to get their eval64 code.

Do you have any suggestions?

Thanks

David Sinclair's picture

Re: Malware Site Monitoring

Do a preview of the page a few times, and look in the Source window (which shows the headers at the top and the source at the bottom). You'll notice parts that remain the same, and parts that change (most likely a date).

What you need to do is set the Start and End text to enclose the part that doesn't change normally, i.e. to exclude the date.

Yes, changes are only reported if you have change detection enabled. The failure you got would be due to it not finding the Start or End text you entered; see the error in the Failures log.

As mentioned, 2.6 will have a more advanced Filters feature, which will enable you to strip the date out and leave the remainder of the text. But for 2.5, you, need to specify a block that normally doesn't change.

Hope this helps.

Re: Malware Site Monitoring

Is there a way of getting the green 'change symbol' to change without resetting the rest of the stats?

I set the test, it detects a change when I upload a new file, now I want it to go black again so I can see from one glance if one changes unexpectedly.

With your advice on preview:
- it doesn't work with header scan as that info isn't shown in preview at all.
- testing with the source option and it seems ok for some part of the page >sounds like 2.6 will be much more usable.

David Sinclair's picture

Re: Malware Site Monitoring

You can't reset the status icon color independently of the other stats, but there is a feature for this purpose: the change marker. Just like unread messages in an email client, the yellow "unviewed" marker appears when there's a new change, and you can clear it when you've seen it. This marker shows up in the Dock icon and system menu, too, making it quick and easy to see when there are new changes. You can clear the marker by clicking on the test, by clicking the Viewed toolbar button, via the Edit ▶ Mark as Viewed command, or via corresponding commands in the Dock menu or system menu.

For the source window, I meant the window you get via File ▶ Show Source, which includes the headers at the top.

Re: Malware Site Monitoring

so this means I have to remember to reset the stats each time I upload to the site > otherwise I don't get the notification from Simon saying it's changed and I loose the uptime / downtime stats?

Will this be changed in 2.6 as well?

David Sinclair's picture

Re: Malware Site Monitoring

No, if you update the page or other content that Simon is monitoring, you'll get a change notification. So you'd just mark that as viewed. You shouldn't need to reset the stats at all.

Re: Malware Site Monitoring

I only get the change speech once - ie the first time the site changes. Then I get the green arrow but no speech notification. If I reset the stats the next time it changes I get notification - but only once.

David Sinclair's picture

Re: Malware Site Monitoring

Are you editing the test? When you edit a test, the next check doesn't result in a change, since you may have altered something that would affect the change detection. Subsequent checks will detect changes made after that time, though.