Network-based integrity monitoring keeps website hacks in check

We are used to the concept of file-based integrity monitoring (FIM), where we monitor important files and binaries on internal servers, guaranteeing the integrity of the system if they are intact. If configuration files, binaries or the kernel is modified, that action is detected and traced to determine if it was authorized.

More on network monitoring Starting points for network monitoring: When looking at automated network monitoring tools, your first considerations should be uptime and reachability of systems. Preparing for a network security audit starts with monitoring and remediation: Successful security teams approach the annual network security audits as a periodic review of the way business is conducted all year, with the goal of compiling a complete scope and picture of enterprise network processes.

FIM is common and mandatory by compliance requirements such as PCI DSS and HIPAA, but we don't often see the network-based integrity monitoring, where the same concept is applied online to Whois or DNS information, for example. How do you know if Whois information has been altered, if your DNS has been tampered with and users are being redirected to a phishing site, or if your Web server has been hacked and its index page defaced?.

While there are tools available that monitor website availability, we don't see many applied to check their integrity. We need a reliable way to detect if a company's network presence, such as a website, Web applications, DNS or Whois has been altered.

Website modifications may be detected by most FIM products running on the server. However, if the attack is more subtle, such as a DNS redirection or a modification of the Whois with the registrar, your FIM will not detect it and users could be redirected to a malicious site.

MANUAL NETWORK INTEGRITY MONITORING
Manual network integrity monitoring can be done with a handful of scripts and a daily (or hourly) cron job on most Linux systems. On Windows, it is also possible, but since the OS lacks some basic networking tools (such as Whois), we will focus on Linux. To start, you can setup lynx or wget to download your website pages and perform a md5/sha1 checksum to compare the outputs:

mkdir /nim
cd /nim
lynx --dump --source http:// yoursite .com > /nim/tmp-source.txt
lynx --dump http:// yoursite.com > /nim/tmp-dump.txt
md5sum /nim/*.txt > file-wish-hashes.txt
sha1sum /nim/*.txt >> file-wish-hashes.txt
md5sum -c /nbim/file-with-hashes.txt
sha1sum -c /nbim/file-with-hashes.txt

You can do the same to monitor the Whois and DNS:

Whois yourdomain.com > /nim/Whois.txt
host -t ANY yourdomain.com > /nin/dns.txt
md5sum /nim/*.txt > file-wish-hashes.txt
sha1sum /nim/*.txt >> file-wish-hashes.txt
md5sum -c /nim/file-with-hashes.txt
sha1sum -c /bim/file-with-hashes.txt

After this is done for the first time, you can edit the scripts to do only the md5sum/sha1sum compare (-c flag) and to run the diff command to see exactly what was modified:

diff /nim/Whois.txt /nim/Whois-old.txt | mail -s "Change detail" you @ email.com
cp -pr /nim/Whois.txt /nin/Whois-old.txt
md5sum /nin/Whois.txt > /nim/files-with-hashes.txt

This approach works well if you have a handful of systems to monitor, otherwise it can get complicated to keep track of all the scripts. Another issue is that if you are running it from within your company, you may not be seeing the same site as people on the outside. That's why when you are monitoring your Internet presence, it is better to use an outside look.

AUTOMATED AND FREE NETWORK INTEGRITY MONITORING
To solve some of the issues with manual monitoring and provide a stable outside look at your Internet presence, we decided to develop a free network integrity monitoring application. It is called Sucuri NBIM and it simplifies all these steps for the user. It also provides a historic view of everything that changed, detailed diffs and availability information (if a resource was ever offline).

How powerful can it be? A few months back, during the development of this application, I got an email notifying me that the Whois information from one of my domains was modified. The alert was: Sucuri nbim: www.xx.com (whois) modified
Modifications:
16,19c16,17
< Status: clientDeleteProhibited
< Status: clientTransferProhibited
< Status: clientUpdateProhibited
< Updated Date: 26-feb-2007
--- > Status: ok
> Updated Date: 07-jan-2009
End of Notification

As you can see, someone removed the lock flag from my domain, which is usually only done if you plan to transfer it to someone else. After a few minutes on the phone with the registrar and after all my passwords updated it was fixed. They also told me they are seeing lots of brute force attacks trying to get accounts in there.

Another example when Google's main website was modified for Mother's Day:

Sucuri nbim: www.google.com (whois) modified
Modifications:
6c6
< Google
---
> Happy Mother's Day!
End of Notification

Not an attack, but this shows how powerful it can be if anyone outside your domain ever changes any of your sites.

David Davidson, is a network security consultant, specializing in open source security and intrusion detection tools.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.