July 26, 2012

AntiDef command-line tool

Defacement attacks are not common in the world; I found in few sources an average of 6700 defacements in the past year. Hence, I would like to share a tool that I developed in order to protect against these defacement attacks. 

Defacement scenarios
1. RFI (Remote File Inclusion) attack, which enables the attacker to include remote file on the web site.
2. Exploitation of file upload vulnerability that includes directory traversal.
3. SQL injection on systems that hold the dynamic data on database, e.g. CMS (Content Management Systems).
4. CSRF on administrative actions, e.g. commit edited changed in CMS.

How AntiDef works?
AntiDef compares two directory paths - the web application and its backup foder. Then, it performs hash (MD5 - we need performance) on each file in the folders and a final hash on all hashed files. The final hashes of the source and the destination are compared. If they are different, then defacement is found. In this case, only the defaced files are moved (by default) to pre-defined "Defaced" folder and then replaced by the backup legitimate files. Then "Defaced" folder includes the malicious files, a timestamp of the defacement and a log.
AntiDef compares the two paths above every 60 seconds, but it can be defined differently.
The full manual is described by running the tool without parameters, i.e. java -jar AntiDef.jar

Open source
The tool written in java and it shared in SourceForge as a jar and as a source code. You can use it, open tickets, make it better etc. This tool has been written as "fast-and-dirty", but it works pretty good on files\folders only, meaning that database protection is not supported by this tool.
Source: https://sourceforge.net/projects/antidef/