Web Entrust employs a suite of proprietary and open source monitoring tools to track member sites. Our long term plan is to make the tools and reports available to subscribers, but not until we feel we have the best mix of reports that filter through the noise to what is truly important. Our monitoring processes can be categorized as follows: IP Address Change Triggers an event anytime the ip address for a website changes. This could be a routine change, or can signal that the DNS server has been compromised and visitors are being sent to a lookalike site. DNS Server Change A change in name servers may be the result of changing hosting companies or registrar. It may also be an early warning of a domain management account authentication compromise as a prelude to directing visitors to a false site. Server Response Time A change in server response time can be caused by any number of issues, but a site that is under duress from a Denial of Service attack, or has been infected by intrusive monitoring software will also have degraded performance. Well Known Port Scan Every service runs on a different port. This scanner will scan all the well-known ports for any change. Several common ports do not represent a security risk such as 80 for http, 443 for ssl, but others raise a red flag such as 23 for telnet (an unsecure remote login). Less Known Port Scan There are a total of 64K ports that can potentially be open on a server. A hacker trick is that once a server has been compromised they will run a shadow service on an obscure port making it easy for them to access the system again even if the password has changed. Home Page Change Triggers an event anytime the home page for a site changes which may signal the addition of unwanted content on the site. These changes can be regular occurrences on some sites.