I suggest you ...

Create daily md5-hashes of the web-content of a domain, to quickly identify tampering or hacking.

Let Plesk on every night optionally create/compare md5-hashes from all files in the domains storage-space (web,httpdoc,ftp) and update this in a simple list (database), sortable by date of last change, size, number of changes. Indicating "changed files in the last xx days" to have a time-window to drill down.

In addition, accumulate all vhosts together into a seperate "Admin-View", where ALL domains are put together alphabetically.

Add an additional button "snapshot", so one could create a list of all webfiles on request. For example, when an incident has been cleaned, then click "snapshot" and then wait some time to see if the changes come back within a short time.

This would allow the customer and the Admins to quickly see, which files an when have been updated/changed lately or tampered with (hacked/defaced homepages). And the admins can spot such repeated activities or attacks which span over multiple domains (produced by Botnets and such) on his server.

Cheers,
Eric

50 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Slater shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    3 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Marco Marsala commented  ·   ·  Flag as inappropriate

        There are free alternatives too, like BinaryCanary. Don't implement this or you will get too many false positives.

      • Stephen Shaw commented  ·   ·  Flag as inappropriate

        I was hacked with DrupalGeddon, this would have saved me because I thought I had patched in time < 7 Hrs - I did'nt patch in time and did not realize I was vulnerable until 6 months later when they activated the hack.

      • Damien commented  ·   ·  Flag as inappropriate

        These are remote services, so they can only scan webpage output. They are defacement monitors.

        The feature here is filesystem based, so it would identify new unknown files, or backend changes to files that may not cause any change to generated HTML)

      Feedback and Knowledge Base