Skip Links

Close the door for good on Web server backdoors

IT Best Practices Alert By Linda Musthaler, Network World
February 15, 2013 01:27 PM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - In many of the recent high-profile distributed denial-of-service (DDoS) attacks, the offending traffic has come from compromised Web servers rather than from botnets of PCs. Because Web servers are often connected to the backbone of the Internet, they provide a much higher-capacity pipe than PCs for distributing massive amounts of crippling malicious traffic. An attacker using compromised Web servers can direct as much as 60 to 100 gigabits of data per second toward a target. It's a real challenge to defend against that kind of barrage.

Critical to the success of this type of attack are the unfortunate Web servers that come under the attacker's control. While they are legitimate servers belonging to real businesses, they are also forced to do the malevolent bidding of bad guys. What's more, this type of infection is more common than many people realize.

[ ROUNDUP: The 10 weirdest, wildest, most shocking security exploits ever ]

When a hacker uses a vulnerability to break into a server or website, often one of the first things he does is install a backdoor -- software that allows the hacker to connect to the compromised website or server at his convenience. The backdoor gives the hacker remote control capabilities so that even when the hole through which he broke in is patched, he can still control the server at will. He can do things like launch attacks against other sites, send out spam or phishing emails, or distribute malware through the website.

Once it has been installed, the backdoor software is hard to find because it is well hidden. It's simply a file that is sitting in a list of thousands of files on the server. The administrator doesn't know if it's a backdoor or a legitimate third-party component that a Web developer has installed. External scanners can't detect it because it can be hiding anywhere and its name can be anything. But backdoors have an Achilles' heel, and it is the functionality that it is designed to allow: communication with the command and control server.

The Web security company Incapsula just launched a new service called Backdoor Protect that provides the ability to detect and intercept the communication going through the backdoor and to neutralize it so the server or website can no longer be controlled from afar. Incapsula can identify the location of the backdoor software so the administrator can remove it and clean up his server or website for good.

Incapsula, a spinoff and subsidiary of the security vendor Imperva, provides a cloud-based service designed to protect and accelerates websites. Incapsula customers change their DNS records to point to the Incapsula network instead of pointing their domain name directly to their Web server. From that point on, anyone trying to access the website first gets routed through the Incapsula network.

Incapsula inspects all of a website's incoming traffic to filter out malicious traffic, such as DDoS attack traffic and hacking attempts. Because Incapsula sees all of a website's incoming traffic, the security provider is able to scan for the signatures of backdoor communications. Incapsula maintains a library of hundreds of backdoors that it has mapped and created signatures for based on its inspections of thousands of websites worldwide. If communication to a backdoor is detected, Incapsula terminates the communication to that file before it can reach the targeted Web server. Incapsula then notifies the website owner that they have a backdoor, what it is capable of doing, and precisely where it is located.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News