The ENTRUSANS™ Experience with Wordpress, Drupal and Joomla

MadTek first developed the ENTRUSANS™ intrusion detection system (IDS)  for the open-source content management systems Wordpress, Drupal and Joomla.  Testing the ENTRUSANS IDS on these platforms shows patterns of change behavior useful in interpreting ENTRUSANS Change Activity Reports (ECARs).  The frequency of website changes varies depending on the application.  When a website changes ENTRUSANS IDS sends a Change Activity Alert email.  This email contains the ECAR for that scan period. The ENTRUSANS system scans websites daily and beta users may receive alerts with legitimate changes once per scan.

Spotting Hacker Files

The MadTek experience with hackers shows that websites are continuously scanned from external websites looking for file upload vulnerabilities in your website.  Content management systems like Wordpress, Drupal and Joomla are under constant attack.  Common attack vectors include any plugin that allows files to be uploaded such as content editors or image management plugins.  Hackers can place new files anywhere in a website directory as well as change existing files in any web directory.  Look for the following:

  • New PHP files in media directories. Hackers hide executable PHP files in directories where only media files are located such as a directory named images.
  • New PHP files in plugin directories. Hackers often upload malicious files directly into the directory where the compromised plugin is located.
  • New PHP files in the DocumentRoot website directory. Hackers will place executable PHP files in the root directory of your website.
  • Open-source applications like Wordpress, Drupal and Joomla have a "Core" directory structure where the executable files of the application reside. Hackers will insert malicious code into these files. Any changes to application core files should be investigated.
  • New hacker files often have unusal names. Names like erbe.php, zzez13.php, none.css, general.php, stati.php, poll-rtls.php are examples of filenames seen in actual hacked sites.

Website Changes Reported Daily

The Wordpress, Drupal and Joomla applications can be configured in many ways that result in continuous changes to the website.  Examples include:

  • Websites configured to maintain log files for activities on the website
  • Websites configured to maintain error log files
  • Websites configured to use cache files to enhance website performance

Alerts will be emailed daily with the ECAR showing the names of files that changed, new files and deleted files.  All three types of changes may occur in one ECAR while some ECARs will show changes.  While hackers can place files in directories where files change daily this is uncommon.

Website Changes Reported Sporadically

Normal website maintenance will generate email alerts with an ECAR listing the new, changed and deleted files.  For example, Wordpress, Drupal or Joomla security updates or updates to plugins.  These updates can be frequent over the course of a year.  Website maintenance also includes routine updates to graphics files depending on the function of the website.  Websites that feature products often see periodic updates to graphics files, uploads of PDF files and other media files.  These changes should be easily tracked against authorized edits to the website.

Close monitoring of normal website maintenance is key to spotting hacker files. If you know the normal change activity on your website and you receive a Change Activity Alert that is out of your normal maintenance routine the ECAR will report the details of the changes.