The story behind this is that I do some occasional IT support for a gentleman who does important technical work in Steam Railway preservation, and he has a web site which documents some highly technical material, but isn't updated from one year to the next. Last year his web site was attacked by a number of spam type organisations, and I helped him out in recovering it. Unfortunately the damage wasn't spotted until some time after the incident, so there were no logs available from his hosting provider to help identify the attack vector.
Early this year the site was attacked again, and although we spotted it quite quickly the ISP logs had already rolled over, so there was no way of identifying where the weakness was. Clearly what was needed was an automated system to notify immediately in the event of further defacement so that the logs will still be available.
Thus this script, which is intended to be run daily, eg from Windows scheduler. It reads the server file list via ftp, and alerts if the number of files in the directory system changes, and if the most recent time stamp in the file system changes. Clearly this isn't much use for an active and dynamic site, but hopefully nest time the site is defaced we'll find out fast enough for the hosting provider to be able to spot the attack vector in their logs.
Anyway, the other problem was that I no longer have a selection of Unix hosts available to run cron jobs, so this was going to have to run on a Windows workstation at home. So I decided this was a good opportunity to make a start on learning powershell, so here is a rather naive first attempt at a powershell script.
What it does is to firstly query a log file for the time the script was last run, and for the timestamp of the newest file on the web system at that time. It then contacts the web server via ftp and retrieves a recursive list of files and their timestamps on the server, and then compares both the number of files and the timestamp of the newest file with the log. If they differ then something has changed on the host, and an alert email is generated.
Other functionality is a rollover facility for the log files and a reasonable amount of validation of the data stored in the log files in case of problems. At the same time as the logs rollover the system also generates a confidence email to demonstrate that the system is still running. Log rollover and "I'm alive" emails may be daily, weekly, monthly or annually.
The script should most definitely be regarded as beta test status.
All Powershell scripts really ought to be digitally signed, otherwise the system needs to be opened up to some undesirable attacks. The process is a *lot* more trouble than it ought to be: its all command line driven and multi step. I've used this blog page from Scott Hanselman as a step by step set of instructions, and it works for me.
These snippets and utilities are licensed under the University of Illinois/NCSA Open Source License. Here is the text of the license as it applies to this code.