Close the door for good on Web server backdoors

Regular readers of Network World know there is a crime spree taking place in cyberspace. Hackers are coming into servers at will through backdoors and directing these servers or the websites they host to perform all sorts of malicious deeds. Incapsula just introduced a cloud-based service that can detect and mitigate the problem of backdoors that are surreptitiously planted on Web servers.

In many of the recent high-profile distributed denial-of-service (DDoS) attacks, the offending traffic has come from compromised Web servers rather than from botnets of PCs. Because Web servers are often connected to the backbone of the Internet, they provide a much higher-capacity pipe than PCs for distributing massive amounts of crippling malicious traffic. An attacker using compromised Web servers can direct as much as 60 to 100 gigabits of data per second toward a target. It's a real challenge to defend against that kind of barrage.

Critical to the success of this type of attack are the unfortunate Web servers that come under the attacker's control. While they are legitimate servers belonging to real businesses, they are also forced to do the malevolent bidding of bad guys. What's more, this type of infection is more common than many people realize.

[ ROUNDUP: The 10 weirdest, wildest, most shocking security exploits ever ]

When a hacker uses a vulnerability to break into a server or website, often one of the first things he does is install a backdoor -- software that allows the hacker to connect to the compromised website or server at his convenience. The backdoor gives the hacker remote control capabilities so that even when the hole through which he broke in is patched, he can still control the server at will. He can do things like launch attacks against other sites, send out spam or phishing emails, or distribute malware through the website.

Once it has been installed, the backdoor software is hard to find because it is well hidden. It's simply a file that is sitting in a list of thousands of files on the server. The administrator doesn't know if it's a backdoor or a legitimate third-party component that a Web developer has installed. External scanners can't detect it because it can be hiding anywhere and its name can be anything. But backdoors have an Achilles' heel, and it is the functionality that it is designed to allow: communication with the command and control server.

The Web security company Incapsula just launched a new service called Backdoor Protect that provides the ability to detect and intercept the communication going through the backdoor and to neutralize it so the server or website can no longer be controlled from afar. Incapsula can identify the location of the backdoor software so the administrator can remove it and clean up his server or website for good.

Incapsula, a spinoff and subsidiary of the security vendor Imperva, provides a cloud-based service designed to protect and accelerates websites. Incapsula customers change their DNS records to point to the Incapsula network instead of pointing their domain name directly to their Web server. From that point on, anyone trying to access the website first gets routed through the Incapsula network.

Incapsula inspects all of a website's incoming traffic to filter out malicious traffic, such as DDoS attack traffic and hacking attempts. Because Incapsula sees all of a website's incoming traffic, the security provider is able to scan for the signatures of backdoor communications. Incapsula maintains a library of hundreds of backdoors that it has mapped and created signatures for based on its inspections of thousands of websites worldwide. If communication to a backdoor is detected, Incapsula terminates the communication to that file before it can reach the targeted Web server. Incapsula then notifies the website owner that they have a backdoor, what it is capable of doing, and precisely where it is located.

Scanning for communication signatures is much more effective than scanning for a specific file. Individual files can undergo numerous mutations and variations, but communication signatures are less likely to change so frequently.

Incapsula's cloud-based service can support companies with a single website all the way up to multi-national corporations with hundreds of different Web properties. Pricing is determined by the amount of traffic that goes through the service.

Incapsula launched its Backdoor Protect capability in late January. Before the official launch, the feature was running silently on all of Incapsula's customers' websites. Backdoor Protect detected and stopped communication that was intended to make a certain server part of the network that was hurling DDoS traffic at the U.S. banks. The server's administrator wasn't even aware of the unintended malicious behavior of his own server.

Backdoors installed on a server are notoriously hard to detect. Now there is a way to find, stop and remove them before they can wreak havoc both internally for a website's owner and externally on the broader Internet.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10