Questionable Hosting

by David Schwalenberg
July 23, 2014

This dashboard presents information on possible questionable web content hosted on the network, and can assist in finding malicious web sites installed on the network.

For a given web server, active web application scanning is no guarantee that all hosted web sites will be found. There may be no links between two web sites hosted on the same web server. Similarly, scanning a network for all ports to look for web servers that may have been installed as part of a botnet is difficult to do in real time. Because of this, it's very common for malicious web servers to be set up on university, home user, and any type of large networks.

This dashboard presents all web servers passively detected on the network, as well as questionable content that the web servers might be hosting and trend lines for detected web sites that contain keywords not expected for the local network.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Monitoring, and then selecting tags web and hosting. The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.7
  • PVS 4.0.2

Listed below are the included components:

  • Questionable Hosting - Detected Web Servers - This table presents all web servers passively detected on the network, including web servers detected by PVS plugins 1442 (detection of web servers that send a “Server:” string in their server response), 8166 (detection of web servers that do not send a “Server:” string in their server response), and 7034 (HTTP server vhost detection).
  • Questionable Hosting - Questionable Content Hosted - This component presents indicators of possible questionable content hosted on web servers on the network, including hosting .ini files, torrent files, archive files (which might contain sensitive data), media files (which might be copyrighted), and malware, as well as linking to malicious content, and serving possibly malicious script and iFrame tags. A purple indicator means the questionable content was found; any questionable content should be further investigated. More information can be obtained by clicking on the specific indicator and viewing the detailed vulnerability list.
  • Questionable Hosting - Responses to Queries for Questionable Domains - This chart presents detections of questionable domain name requests that web servers on the network have responded to over the last three months. The lines show answered domain name requests for URLs containing keywords related to money, porn, dating, game, sweepstakes, and party. Note that these keywords will not find all questionable domains and there may be a high false-positive rate. Keywords can be added or removed as needed in the series’ filters. Domain groupings can also be added or removed as needed.