How The ENTRUSANS™ System Works

Overview

Madtek developed the ENTRUSANS™ Intrusion Detection System (IDS) to provide a detailed history of website file changes.  Access to file change information is invalueable in quickly identifying when a website has been hacked and the impact of the hack.  The many websites that MadTek has analyzed and remediated over a decade involved malicious files uploaded to the website and used for nefarious purposes.  Most MadTek hosting customers use the open-source content management systems Wordpress, Drupal and Joomla.  These applications have a history of security vulnerabilities and as developers fix these vulnerabilities it is wise to expect that users will experience new vulnerabilities as the applications continue to change.  Furthermore, website owners use thousands of plugins, modules and components to enhance their websites adding to the opportunities for hackers.

Of the many types of security vulnerabilities that affect website software, e.g.  XSS and SQL Injection, file upload vulnerabilities rank at the top in terms of damage.  Hackers have near limitless options available to them once they compromise a website.  Over the years MadTek has encountered various hacks including the placement of cleverly hidden Phishing pages that can gain logins for bank accounts, link poisoning that routes links on your website to hacker sites and spam generators that send thousands of spam emails from your website without your knowledge.  Hackers can network compromised websites together to work as a group and they can keep the websites dormant so they can activate them in the future.  

MadTek has ecountered hackers that know about the various security plugins available for applications like Wordpress, Drupal and Joomla and how to disable those plugins.  It is difficult to protect most plugins from a knowlegable hacker.  A key ENTRUSANS design feature is how ENTRUSANS IDS makes it hard for hackers to tamper with the ENTRUSANS files without being detected.  The following section explains how ENTRUSANS IDS works and how to use ENTRUSANS reports.

The ENTRUSANS System

The ENTRUSANS System is a two component system with a centralized server (ENTRUSANS Server) operated by MadTek and a client (ENTRUSANS Client) that resides on your website.  The daily operation of ENTRUSANS IDS is quite simple.  The ENTRUSANS Server contacts the ENSTRUSANS Client every day requesting that day's file system metadata.  The client website returns metadata to the server.  The ENTRUSANS server compares the new metadata against the previous day's metadata stored in the Entrusans database.  If there are metadata changes the system reports to the website owner via email in a report.  The reports will show if a hacker has invaded and placed files on the website.  The following section details how to use these reports to find hacker files quickly.

How to Use ENTRUSANS IDS

The ENTRUSANS Change Activity Report is the primary tool used to detect a hacker.  This report gives four key pieces of metadata information to use for determining whether a hacker has uploaded a file to your website.

Metadata

Description

Timestamp This data point reports if the file timestamp has changed.  Timestamps are important in determining when a hacker uploaded or compromised a file.
Changed This data point reports a change to an existing file. Files can change for legitimate reasons or hackers may modify files.
New This data point reports when a new file is created on your website. New files can appear for legitimate reasons e.g. cache files and software updates or they can be files uploaded by a hacker.
Deleted This data point shows deleted files. Some hackers delete security plugin files. This data point identifies damage a hacker may do by deleting files.
Table 1

Table 1 summarizes how you can use four pieces of metadata to identify hackers.  Real scenarios from websites better illustrate how a website with ENTRUSANS IDS works.  The scenarios below are from actual encounters with hacker compromised websites.

Scenario 1: Website owner discovers Google reports their website as compromised in the search engine results page

One objective of hackers seen by MadTek when they gain access and upload malicous files to a website is to use the website to redirect links on the website to websites that sell anything from pornographic material to pharmaceutical products.

Without ENTRUSAN IDS:

The website owner performs a simple search on their website using Google and finds that Google reports the links to website as compromised on the search engine results page (SERP).  This happens to compromized websites where the hackers, now in control of the website, are manipulating links on the website. The website owner is now faced with the arduous task of understanding what files the hackers placed on the website, how many new files were placed, how many files they changed to achieve their objective of corrupting links and identifying any other files they may have hidden on the site as a backdoor to the site.  The website owner must also notify Google directly that they have fixed the problem before Google will remove the damaging message on the SERP. This event is embarrassing to the website, can take days to remedy, and is enormous in the expense of time and damage to the website brand.  In this scenario it is common for  the hackers to control the links on the website for weeks before Google indexing finds out.  

Outcome:

  • Weeks if not longer of damage from link poisoning
  • Little knowledge of website changes leads to extensive time to remediate the website
  • Little knowledge of the website vulnerability leaving uncertainty as to a future attack
  • Days to over a week to recover the website.

With ENTRUSANS IDS:

The ENTRUSANS website scan reports to the website owner that new files have shown up on the site.  The owner checks for any authorized work being performed and finds that no internal changes have been made.  The website owner examines the ENTRUSANS activity report and finds a number of new files in various directories on the site.  One of them is named polls-rtls.php.  The contents of the file reveal that it is a hacker placed file.  The website owner examines all other new files and finds malicious code.  The website owner examines legitimate files within the application only to find that they have had malicous code inserted into them.  The website owner knows the timestamps on the arrival of these foriegn files and the list.  The next challenge is to determine how the hacker entered the site.  A quick comparison with the site weblogs can reveal the exact point of entry and in the case of an open-source content management system like Wordpress, Drupal or Joomla the specific compromised plugin.  The website owner discovers the hacker in 24 hours or less and there is a clear path to removing the damaging files. The website owner restores compromised application files from backup, deletes the malicous files and updates or replaces any software found to have vulnerabilities.

Outcome:

  • The ENTRUSANS server notifies the website owner of a change to the website via email with the ENTRUSANS Change Activity Alert
  • Website owner examines the results and finds activity is due to hackers placing various files on the site
  • Website owner uses ENTRUSANS report to delete new files and repair compromised files
  • If available website owner examines web logs to determine point of entry
  • Website owner updates any needed software to eliminate known vulnerabilities
  • Website is recovered in a matter of hours with no damage to Google indexing

 

Scenario 2: Website owner is notified by 3rd party email vendor that quota is exceeded

Another hacker objective MadTek has seen involves hackers uploading malicous files to a website to use the website to send email spam.  In this way the hackers use an innocent website to send malicous spam, remain in the shadows and the website owner shoulders the responsibility of violating network email standards on the website owner's domain. Consequences include hostility from recipients affecting brand and website domain's placement onto email blacklists leading to costly efforts to remove the website domain from the blacklists. In this real scenario a web installation with a very small outgoing email quota discovered something was wrong.  Had the quota been much larger the hackers could have gone undetected until the website owner discovered the domain was on an email blacklist.

Without Entrusans IDS:

A Drupal website owner notices one day that the email quota for the server has been exceeded.  Not knowing the source of the problem the website owner engages an expert to research the website and email logs.  The expert finds a clear signature of outgoing spam inside the email logs.  Knowing this as a sign of a website compromise the expert conducts an examination of all the files on the owner's Drupal website.  In this case the expert is familiar with Drupal and using proprietary techniques is able to identify a collection of hacker files.  The expert removes the hacker files and upgrades the website software assuming all was well.  Weeks later the email quota was exceeded again.  Further research revealed the purge of hacker files was incomplete. A hacker backdoor file was not removed from the site and the hacker used that file to compromise the site again.  The site was cleaned again.

Outcome:

  • The website owner incurred damage due to the shut down of outgoing email on the webserver
  • Little knowledge of site changes leads to extensive time to remediate the site
  • Site remediation had errors leading to a second attack and second remediation.
  • Substantial website down time for remediation efforts occured.

With Entrusans IDS:

The ENTRUSANS daily scan reports new files have shown up on the website.  The owner checks for authorized work and finds that no authorized changes have been made.  The website owner then examines the ENTRUSANS Change Activity report and finds new files on the site.  One of them is named garland.info.info.  Upon technical examination of the file it is a hacker placed file.  The website owner examines all other new files on the site and finds malicious code.  The website owner examines legitimate files within the application and finds malicous code has been inserted into them.  The website owner knows the timestamps on the arrival of these foriegn files.  The next challenge is to determine how the hacker entered the site.  A quick comparison with the site weblogs can reveal the exact point of entry and in the case of an opensource content management system like Wordpress, Drupal or Joomla the specific plugin that was compromised.  The hacker is discovered in 24 hours or less and there is a clear path for removing compromised files. The website owner restores compromised application files from backup, deletes the malicous files and updates or replaces any software found to have vulnerabilities.

Outcome:

  • The ENTRUSANS Server notifies the website owner of a change to the website via email with the ENTRUSANS Change Activity Alert.
  • Website owner examines the results and finds activity is due to hackers placing files on the site.
  • Website owner uses the ENTRUSANS report to delete hacker's files and repair compromised files.
  • If they are available the website owner examines web logs to determine point of entry.
  • Website owner updates any needed software to eliminate known vulnerabilities
  • Website owner recovers the website in a matter of hours with minimal damage to email

Summary

ENTRUSANS IDS enhances your website security by notifying you of potential problems before they have time to cause significant damage.  Hackers count on website owners being uninformed of changes to their website until the damage is done.  Once a website is compromised hackers will continue to attack the site.