We provide both external monitoring and internal tripwire/monitoring. This page describes an internal tool for PHP-based sites.

Internal monitoring

From “inside” the server, you have a unique view of the code that creates your dynamic web site—a view we can’t get from the outside.

This PHP script (or “page”) spiders your web document root (docroot) and looks at PHP files, looking for PHP functions used in most malware hacks. The functions are also used in legitimate PHP applications, so don’t be surprised if we find some in your site on the first scan.

If your site has been compromised, we have an extended edition of this utility that can be used to repair PHP files, if the injected code is the same on each PHP file. To make repairs, you must have shell access to your server to run the utility plus the ability to run PHP from the command line. (For Linux servers this is pretty straightforward.)

The CyberSpark tripwire (scanner)

To install the utility, you must download the text version of this PHP script from our server* (right-click and download the source), change the extension from txt to php and then upload the file to your server’s docroot. You need to create a world-writeable directory /cyberspark as well (see instructions in the downloaded file). You can then test from a web browser.

When you’ve put the file in place, you notify us and we’ll add this URL to your list of monitored URLs and alert you when there's a change.

CyberSpark database alerts

The two most common attacks on free speech sites are the addition of PHP code to your files, and SQL-injection attacks against your database. Our script can be downloaded and installed as a PHP file on your server so we can monitor your database. First, download the text version of the script from our server, then change the extension from txt to php and upload the file to your server’s docroot. Test from a web browser.

*The download is for PHP version 5. If you need a PHP 4 version, use this one. We actively support only the PHP 5 version.