Doorways on non-default ports make compromised websites harder to spot

Are negligent site and server administrators at least as much to blame for compromised sites that redirect users to doorway pages to pirated software as the cyber criminals that took advantage of their poor security? The author of the Unmask Parasites blog seems to think so.

For a while now, he has been analyzing websites, and a year ago he noticed there were hundreds high-profile sites that were promoting pirated software unbeknownst to their administrators. But his beef with them stems from the fact that many of them have decided to ignore his direct warning and refused to cooperate with him in order to repair the damage. As a result, many of those sites are still compromised.

It used to be that these doorway pages were created by adding URL rewrite rules to server configuration files, or creating rogue files and directories somewhere on server – in short, by extending the functionality of existing legitimate sites and, therefore, making these modifications easy to spot by webmasters who know what to look for and do so on a regular basis.

But, he noticed a new trend among the criminals engaged in these schemes. “Hackers started to create a 100% spammy doorway sites with the same domains as compromised legitimate sites but on different (non-default) ports,” he says.

While this doesn’t change anything for the users, it makes the detection of this abuse a lot harder for the administrators because this way, these doorway pages are no longer part of the hacked site, the rogue content doesn’t need to be on the compromised site’s file system, and the log these websites on different ports write aren’t written to the same files that the compromised site uses.

And while this action does require the criminals to acquire root permissions on the server – or at least a “poorly configured server with many open ports and world-writable Apache configuration files” – the effort is well worth it, because they can use the same domains, undetected, for a long, long time.

For all website and server administrators who want to make sure the assets under their supervision haven’t been used for the aforementioned purpose, he offers a number of tips on how to detect doorway pages and spammy links, and also lists a number of compromised doorway sites on non-default ports.




Share this