I am surprised that there is no automated alert to tell the webmaster that his code has changed on his website. Especially on the payments page!

With 50,000,000 users a month, surely they have a whole team working on checkout, all the time?

Do you have such automated alerts set up yourself? Do you know anyone with such alerts set up?

reaperducer

I do.

I have a tiny $5 Onion Omega2 on an independent cellular connection that checks file integrity on the production web servers every 15 minutes.

If the content of any of the files change, I get an e-mail.

If the alerts start coming in when I know I've just pushed a new version to production, the mail has a link that I can click that will re-scan all of the files and build new checksums.

If the alerts start coming in in the middle of the night, then I know something is up.

Obviously, this only works in small environments like mine where I'm the only one capable of updating the production servers. But it managed to catch a backdoor left in by the previous developer, who for some reason stored and updated his resume on the production server.

noir_lord

Ingenious, Have you considered a blog post on this approach?

It would be interesting to deploy a few of them in different places and check that they all see the same as well maybe.

Also did you do this as a belts and braces thing or is the system you are auditing particularly high security/risk in some way?

ams6110

You can just set up Tripwire to do this sort of thing. It's in most distro package managers.

https://github.com/Tripwire/tripwire-open-source/#open-sourc...

What that won't do is save you from malicious code inserted into 3rd party content (script libraries, etc.) that you load from a CDN. If you're worried about that, you should make a copy of a verified version and serve it yourself.