Thanks to sites like the Sucuri Security blog, domain name administrators should be learning that it is important to watch for updates to WHOIS records. Companies like Sucuri offer such a service free for one domain but charge for additional domains while providing extended services. If you'd just like to monitor your own WHOIS records using a simple script, you can be inspired by last year's article Network-based integrity monitoring keeps website hacks in check by David Davidson.
I decided to create the following simple script to watch two of my domains.
richard@macmini:~/check$ cat check.sh
#/bin/sh
/usr/bin/whois bejtlich.net > /home/richard/check/bejtlich.net.whois.new.txt
/usr/bin/whois taosecurity.com > /home/richard/check/taosecurity.com.whois.new.txt
/usr/bin/diff -u /home/richard/check/bejtlich.net.whois.old.txt \
/home/richard/check/bejtlich.net.whois.new.txt | mail -s "bejtlich.net whois check" taosecurity@gmail.com
/usr/bin/diff -u /home/richard/check/taosecurity.com.whois.old.txt \
/home/richard/check/taosecurity.com.whois.new.txt | mail -s "taosecurity.com whois check" taosecurity@gmail.com
mv /home/richard/check/bejtlich.net.whois.new.txt /home/richard/check \
/bejtlich.net.whois.old.txt
mv /home/richard/check/taosecurity.com.whois.new.txt /home/richard/check \
/taosecurity.com.whois.old.txt
Is this the world's greatest shell script? No, I wrote it in 60 seconds to make my point. Feel free to create something uber-cool and post it here. :)
Next I created empty files:
$ echo "" > bejtlich.net.whois.old.txt
$ echo "" > taosecurity.com.whois.old.txt
Finally I ran the check:
$ ./check.sh
Checking my email, I got two. Here's the one for bejtlich.net:
--- /home/richard/check/bejtlich.net.whois.old.txt 2010-05-22 20:52:58.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt 2010-05-22 20:53:05.000000000 -0400
@@ -1 +1,106 @@
+Whois Server Version 2.0
+
+Domain names in the .com and .net domains can now be registered
+with many different competing registrars. Go to http://www.internic.net
+for detailed information.
+
+ Domain Name: BEJTLICH.NET
+ Registrar: GODADDY.COM, INC.
+ Whois Server: whois.godaddy.com
+ Referral URL: http://registrar.godaddy.com
+ Name Server: NS18.ZONEEDIT.COM
+ Name Server: NS8.ZONEEDIT.COM
+ Status: clientDeleteProhibited
+ Status: clientRenewProhibited
+ Status: clientTransferProhibited
+ Status: clientUpdateProhibited
+ Updated Date: 22-may-2010
+ Creation Date: 01-jul-2000
+ Expiration Date: 01-jul-2011
...truncated...
As you can see it's "all new" because the old file was empty.
When I run the check again, I should get no significant changes via email.
--- /home/richard/check/bejtlich.net.whois.old.txt 2010-05-22 20:53:05.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt 2010-05-22 20:55:28.000000000 -0400
@@ -19,7 +19,7 @@
Creation Date: 01-jul-2000
Expiration Date: 01-jul-2011
->>> Last update of whois database: Sun, 23 May 2010 00:52:33 UTC <<<
+>>> Last update of whois database: Sun, 23 May 2010 00:54:20 UTC <<<
- Hide quoted text -
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
You could argue not to use diff -u to simplify the output. Sure, you could. I just prefer seeing some context when changes do occur.
Now I'm going to add another DNS server to my WHOIS record and see if my script catches the change.
Reading email...
--- /home/richard/check/bejtlich.net.whois.old.txt 2010-05-22 20:55:28.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt 2010-05-22 20:58:09.000000000 -0400
@@ -10,6 +10,7 @@
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS18.ZONEEDIT.COM
+ Name Server: NS5.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
@@ -19,7 +20,7 @@
Creation Date: 01-jul-2000
Expiration Date: 01-jul-2011
->>> Last update of whois database: Sun, 23 May 2010 00:54:20 UTC <<<
+>>> Last update of whois database: Sun, 23 May 2010 00:57:09 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
@@ -103,4 +104,5 @@
Domain servers in listed order:
NS18.ZONEEDIT.COM
NS8.ZONEEDIT.COM
+ NS5.ZONEEDIT.COM
There it is -- ns5.zoneedit.com. If I hadn't made that change, then I would know someone has compromised my account.
The next evolution of this script is to run it from cron, and better yet modify it so I only get an email if there is a change. For now, I have a simple way to watch for changes. Again, Sucuri should take credit for bringing this to people's attention during the last 2 years or so.
0 komentar:
Posting Komentar