A website defacement is the unauthorized substitution of a web page or
a part of it by a system cracker. A defacement is generally meant as a
kind of electronic graffiti, although recently it has become a means
to spread messages by politically motivated cyber protesters or
This is a very common form of attack that seriously damages the trust
and the reputation of a website.
Detecting web page defacements is one of the main services for the
security monitoring system.
A lot of time ago I wrote a small & smart application to detect web
site defacements in large scale with the ability to monitor a lot
(thousands) of websites. This was a test to collect some statistics,
so I tried to do it in a short time: I wrote it in a few days.
So I was asking me about what techniques and technologies I can use to
get the highest detection rate with the minimum effort.
I choose Ruby, Ruby on Rails for the user interface and Event Machine
to speed up the performances.
With only few days of development I can’t struggle with complex
algorithms to detect defacements, but I choose some very simple
techniques, that after some months of tests, seemed to be very
effective. The performance and detection rate of this “poor man”
techniques are comparable to some others commercial monitoring
The key feature of the proposed techniques is that it does not require
the installation of a component (like an HIDS) or a participation of
the site maintainers. It require only the URL of the web site to
Today I want to share this brainstorming about web site detection