Catch website file changes with AIDE

A week ago I suggested installing AIDE to track changes on your server in case it had been hacked. I think AIDE Is so useful that it deserves a post of it’s own. Here’s a short guide to get it working properly.

The AIDE .deb package includes configuration files for over 80 different software packages or log files. That’s great if you have all that software installed or want to keep a paranoid eye on /var but what if you only care about the directory where your website lives?

When I first installed AIDE (using apt-get install aide), it said I needed to run /usr/sbin/aideinit after installation. Every morning I’d get an email from AIDE with a list of changed files from all over my server, including mail logs, Apache logs, and more. I didn’t need all that so I removed the files from /etc/aide.conf.d/ except my WordPress config file:

/home/web/ Checksums

Unfortunately after I removed the configuration files the daily AIDE email was flooded with open_dir() errors:

Output is 40577 lines, truncated to 1000.
open_dir():Not a directory: /home/donncha/.bashrc
open_dir():Not a directory: /home/donncha/.bash_profile
open_dir():Not a directory: /home/donncha/.viminfo
open_dir():Not a directory: /home/donncha/.bash_history

AIDE was rendered useless by all the errors. Thankfully it was easy to fix. Run aideinit again and it regenerates the AIDE database.

# /usr/sbin/aideinit
Overwrite existing /var/lib/aide/ [Yn]? y
Running aide –init…

AIDE, version 0.13.1

### AIDE database at /var/lib/aide/ initialized.

Overwrite /var/lib/aide/aide.db [yN]? y

For good measure, I ran /etc/cron.daily/aide again which sent me the “Daily AIDE report”, and yes, it reported that my .htaccess file had been changed. Nice.

If your site is on a shared hosting account then you’re out of luck, but if you have a dedicated host, or virtual private server (VPS) then please consider using AIDE to keep track of changed files. It will send you a short email every day listing changed, added or deleted files. It may save you a lot of hassle and embarrassment if your site is hacked.

Edit: By default, the nightly cron script doesn’t update the AIDE database leading to the same files changes reported every day. Edit /etc/default/aide and make sure COPYNEWDB is set to “yes”. That will update the database.

Author: Donncha

Donncha Ó Caoimh is a software developer at Automattic and WordPress plugin developer. He posts photos at In Photos and can also be found on Google+ and Twitter.

14 thoughts on “Catch website file changes with AIDE”

  1. Excellent, really useful, I’ll be using this for all my WP installs from now on.

    After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked – obviously, the vast majority of people won’t know or won’t bother and, in the long run, that hurts the reputation of WP. A plugin that makes doing the right thing easier would, of course, lessen the damage.

  2. Piggy – it’s similar, but AIDE goes further.

    First of all, AIDE has a database of file checksums. It runs md5 and various other checksum algorithms on the files you list, and uses that checksum to figure out what files have changed. The plugin above simply checks the file modification time which can be easily spoofed using touch().

    Second, AIDE has to be run as root (well, you could install it in a home directory as an ordinary user too, but I digress) which offers some protection against the database being compromised by the webserver user. Even if a PHP application recorded md5 checksums of all it’s files, you could never trust the database because it would have to be owned by the webserver and therefore at risk of being modified by a hacker.

    That said, if you can’t install AIDE, then you should use a plugin like that. It would be really nice if it emailed the administrator once every 24 hours with a list of changed files.

  3. Hmmm, I’m thinking it would be really useful if, aswell as having a plugin email the admin, if the emails were also CC’d to a central server that could treat them as incoming reports, track the trends and, then, when another rash of attacks hits, could send additional warning emails to people whose emails seemed to indicate a likely attack.

    Donncha, is something like that ever likely to be instituted or does Automattic tend to be more hands-off, culturally?

  4. Donnacha – unfortunately it might have a lot of privacy issues as POST requests include usernames and passwords.
    It’s probably hard, but not impossible, to see a hack attempt in progress. A central db might be useful but it would require a lot of resources.

  5. As you said “If your site is on a shared hosting account then you’re out of luck”

    I think some one must provide features brought to by AIDE into an easier manner. I didn’t think I was harder, but I use shared hosting 🙂

  6. The problem with CentOs is that if you run a cron, it will email you the entire database in addition to the changed files etc. Also, the directory /etc/default/aide isn’t there, so how to set COPYNEWDB to yes?

    Anyone knows how to get this working on CentOs?


  7. Does Aide tie up a bunch of resources? I’m on a shared server, but running multiple WP sites. I would hate to get a letter saying that I needed to move to a dedicated server because of this. Although that’s where I want to be in a year or so, I can’t afford it right now.

Leave a Reply