Create daily md5-hashes of the web-content of a domain, to quickly identify tampering or hacking.
Let Plesk on every night optionally create/compare md5-hashes from all files in the domains storage-space (web,httpdoc,ftp) and update this in a simple list (database), sortable by date of last change, size, number of changes. Indicating "changed files in the last xx days" to have a time-window to drill down.
In addition, accumulate all vhosts together into a seperate "Admin-View", where ALL domains are put together alphabetically.
Add an additional button "snapshot", so one could create a list of all webfiles on request. For example, when an incident has been cleaned, then click "snapshot" and then wait some time to see if the changes come back within a short time.
This would allow the customer and the Admins to quickly see, which files an when have been updated/changed lately or tampered with (hacked/defaced homepages). And the admins can spot such repeated activities or attacks which span over multiple domains (produced by Botnets and such) on his server.
Cheers,
Eric
Slater
shared this idea
-
Hostasaurus
commented
This can be easily accomplished with OSSEC, and in fact, you would ideally implement it with something like ossec outside of Plesk, because you don't want an unauthorized Plesk access resulting in the monitoring being disabled without your knowledge. You could even run it from a different server to ensure the agent hasn't been tampered with.
-
Adrien Foulon commented
The rsync command can do what you want (except for the interface) but you can have a cron run to output the rsync result to a file
-
Marco Marsala commented
There are free alternatives too, like BinaryCanary. Don't implement this or you will get too many false positives.
-
Stephen Shaw commented
I was hacked with DrupalGeddon, this would have saved me because I thought I had patched in time < 7 Hrs - I did'nt patch in time and did not realize I was vulnerable until 6 months later when they activated the hack.
-
Damien commented
These are remote services, so they can only scan webpage output. They are defacement monitors.
The feature here is filesystem based, so it would identify new unknown files, or backend changes to files that may not cause any change to generated HTML)