How to Use The Entrusans Change Activity Report

The ENTRUSANS Change Activity Report is your primary tool for detecting suspicious files on your website.  The report is organized into four sections:

  • The Change Summary section shows a quick picture of the scope of changes for the period.
  • The New Files section lists all new files found in a scan. Files placed by hackers will be listed here.
  • The Changed Files section lists all files that have changed in a scan. Malicious code is often placed in core application files by hackers.
  • The Deleted Files section lists all files that have been deleted in a scan. Hackers are known to delete files on websites especially security plugins.

 

At MadTek we have organized these sections so that you can quickly assess change activity on a website and take action.  Entrusans scans a website once per day.  Depending on the application software and plugins installed on the site a Change Activity email may arrive every day.  Examples of normal daily activity include changes in log files and cache files.  Much depends on the applications and plugins installed.

Websites that change infrequently are the easiest to assess.  If your website changes are infrequent due to only periodic software upgrades or routine updates of image files you will receive emails only when these changes take place.  Review all of the changes to confirm they were authorized as one of those changes can be due to a hacker.  In the event that it is a hacker you will have a record of the changes that the hacker made to your website.  

Websites that change frequently due to normal operation of applications that generate recurring working files such as logs and cache files will generate Change Activity emails from Entrusans.  Depending on the application the Change Activity report will stablize on a consistent number of changes per day.  The number of new files and changed files may vary.  Experience with certain plugins for Wordpress shows a large number of file changes per day in cache directories.  Even though reports are produced daily abnormal changes to the website will be visible as hackers will place files in directories easy to spot.

If a new file proves to be a hacker file the next steps are to examine the Changed Files and Delete Files report sections of the ENTRUSANS Change Activity Report.  These sections will identify changed and deleted files that could be the result of the hackers tampering with the files on the website.

 

Change Summary

The Change Summary section provides a quick overview of the scope of a change in the website.  This summary will vary based on the activity on the site.  For example a major software upgrade for applications will result in larger numbers in all of report sections, New, Changed and Deleted.  Small numbers are common for applications that use log or cache files or routine site maintenance.  Over time a change pattern for the website will emerge enabling the detection of unusual activity.

New Files

The New Files section is the first stop for spotting suspicious change activity.  The filenames listed in the diagram below were made up to illustrate how obvious a hacker file can appear to the trained eye.  In this example the hacker is openly telling us they are present.  Hackers are rarely that friendly and MadTek has detected hacker files in multiple locations on websites.  One common hacker technique is to place executable files in image directories using existing image names only with an executable extension, for example we would find my-latest-product.jpg and my-latest-product.php.  Entrusans was designed to quickly identify suspicious files.

Changed Files

It is common for hackers to add malicious code to existing files on the website following a compromise.  Identifying these files is critical to efficient and effective recovery of a compromised website.  Missing only one infected file can lead to a subsiquent compromise.  Many tools are available for scanning files for infection, but only for known signatures.  Hackers are clever and continously introduce new unknown signatures.  Knowing that a file has changed is a unique and powerful tool in identifying compromised files.

Deleted Files

MadTek has direct experience with hackers disabling security plugins. One technique is to simply delete the security plugin files. Use the deleted files section to review any deleted files. Normal activity on the website will result in files being deleted and those files be listed in the section. Applications such as Drupal, Wordpress and Joomla have specific locations where security plugins are located.  Hacker actions to delete files for security plugins will be reported in this section.  Also look for any files that have changed in any security plugin.