<a href="http://la-samhna.de/samhain/">http://la-samhna.de/samhain/</a> if you have the resources to run it (its complex)<br><br>Or, an afternoons work should have something nice going on if you use tripwire <a href="http://sourceforge.net/projects/tripwire/">http://sourceforge.net/projects/tripwire/</a><br>
<br>Not sure how to do this on a shared host tho. <br><br><div class="gmail_quote">On Wed, Jan 27, 2010 at 4:41 PM, Steven Jones <span dir="ltr"><<a href="mailto:steven.jones@computerminds.co.uk">steven.jones@computerminds.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">> Is it a good security tip to monitor the integrity of Drupal sources by<br>
> using MD5 hashes on the files ?<br>
> Is there a known/efficient way to achieve this ?<br>
<br>
</div><a href="http://drupal.org/project/md5check" target="_blank">http://drupal.org/project/md5check</a><br>
<br>
But this is a drupal module, and thus pretty useless, because it is<br>
part of the system that you're looking to stop being modified. Better<br>
to just hash some files on cron or something if you care to leave your<br>
drupal installation writeable by the web server.<br>
<br>
Regards<br>
Steven Jones<br>
ComputerMinds ltd - Perfect Drupal Websites<br>
<br>
Phone : 024 7666 7277<br>
Mobile : 07702 131 576<br>
Twitter : darthsteven<br>
<a href="http://www.computerminds.co.uk" target="_blank">http://www.computerminds.co.uk</a><br>
<br>
<br>
<br>
2010/1/27 Nicolas Tostin <<a href="mailto:nicolast@logis.com.mx">nicolast@logis.com.mx</a>>:<br>
<div><div></div><div class="h5">> Is it a good security tip to monitor the integrity of Drupal sources by<br>
> using MD5 hashes on the files ?<br>
> Is there a known/efficient way to achieve this ?<br>
><br>
><br>
> ----- Original Message -----<br>
> From: "Laura" <<a href="mailto:pinglaura@gmail.com">pinglaura@gmail.com</a>><br>
> To: <<a href="mailto:development@drupal.org">development@drupal.org</a>><br>
> Sent: Wednesday, January 27, 2010 9:53 AM<br>
> Subject: Re: [development] Fully patched site hacked and cloaked<br>
><br>
><br>
> On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:<br>
><br>
>> Were you able to determine the attach vector that was used to be able<br>
>> to modify bootstrap.inc?<br>
><br>
> I just saw this performed on a D5 site. Bootstrap.inc was indeed altered, an<br>
> additional system.php file was inserted in the modules folder, and the<br>
> pernicious (drug) website files were inserted into the cgi folder *above*<br>
> the webroot. The code was sniffing passwords. Several files contained<br>
> nothing but hashes.<br>
><br>
> I mention this because if we see a pattern across many sites, this entire<br>
> conversation should move to security reports offline.<br>
><br>
> Laura<br>
><br>
><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>--<br>Steve Power<br>Principal Consultant<br>Mobile: +44 (0) 7747 027 243<br>Skype: steev_initsix<br><a href="http://www.initsix.co.uk">www.initsix.co.uk</a> :: Initsix Heavy Engineering Limited<br>
--<br>