25 Years of Programming
An open source source for C, C++, OWL, BASIC, MDB, XLS, DOT, and more...
Home   Projects   Sitemap   Search   Blog   Forum+Chat   About Us   Privacy   Terms of Use   Feedback   FAQ   Images   Services   Ads   Donate

Apache security:

Before buying a product,
I look at Amazon.comGo to Amazon.com customer reviews to see what other people are saying about it.

How to know if your website has been hacked

This article is part of a set that begins at:

Google says "This site may harm your computer"

If Google's search engine result pages (SERPs) display this warning about your site, one of the possible causes is that your site was hacked. Please see the separate article about how to investigate and resolve the Google / StopBadware warning message.

Visitors report getting viruses from your web pages

If visitors report to you that they get virus alerts or viruses from browsing your pages, your site is most likely hacked. Google will start displaying a "badware" warning about your site soon, so please see the article about it, above.

It is, however, possible for your pages to deliver viruses even if your site hasn't been hacked. This can occur when your pages pull some of their content from third parties such as advertisers, and they got hacked, or someone slipped a malicious advertisement into their lineup. That scenario is also discussed in the above article. 

Visitors report being redirected to other web pages, not yours

If people try to visit your website but wind up somewhere else instead, it's another sign your site is hacked. It's a similar situation to the two described above and will eventually earn a Google "badware flag". Please see the article referenced above.

Your traffic decreases dramatically and suddenly

Most web surfers heed the "This site may harm your computer" warning and stay away. Those who continue to the site and get a virus or virus alert will leave immediately and not browse around. Either way, you'll see a drastic drop in traffic. Anytime your traffic drops suddenly, investigate.

Places you can monitor your site status

An important aspect of monitoring is to notice things that are unusual, so start learning now what is normal and usual, while your site is not hacked.

Each time you log into cPanel

Make a habit of checking "Last login from:" at the top of the screen to ensure that it shows your IP address from the last time you logged in.

When you browse your own site

Always use an up-to-date antivirus + antispyware program on your own PC so you'll be alerted if your website starts distributing malware. Use "real-time" scanning protection to catch malicious files as soon they are received. Manual scan-on-demand only (such as once a day) isn't sufficient. By the time you identify and quarantine the virus, the damage it was intended to cause might already be done.

Use your browser's View Source feature occasionally to inspect your page's HTML code for text injections of invisible iframes, JavaScript, and links to malicious websites. These are often the definitive telltale indicators that the pages have been tampered with. The "badware investigation" article referenced above shows examples of what these things look like. They're just text. Once you know what to look for, they're easy to find.

It's a good idea also to check a few files on your server from time to time. Open your home page in your control panel's File Manager and inspect the HTML for the signs of tampering described above.

Whenever you are viewing a list of the files on your server (such as in cPanel > File Manager or by FTP, keep alert for files you don't recognize.

The files on your server should never be different from what they were when you originally uploaded them. A file getting modified on your server without your permission is just as abnormal as a file getting modified on your home PC without your permission. If it happens at all, it is an indication that something is terribly wrong.

HTTP access log

This log records the requests for pages and other files from your site.

If there are successful requests (HTTP result code 200) for files you didn't put on the site, it's possible a hack put them there. It's even more suspicious if the files have names that are variations of these commonly used ones: id.txt, cmd.txt, safe.txt, r57.txt, test.txt, echo.txt, php.txt, load.txt, or mic.txt.

Your raw access logs are also the best place to learn how your site is being attacked, whether successfully or not, so you can craft your defenses accordingly.

FTP access log

Unauthorized users or unauthorized file transfers in your FTP log are proof that your site is compromised.

Google Webmaster Central > Webmaster Tools

Google account (it's free) and login required.

In Webmaster Tools, Google notifies you if your site gets badware-flagged. In the past, they also notified webmasters by email, if they could find an address. I don't know if they do that anymore. Many people reported not receiving such an email, and it's been a long time since I've seen anyone report receiving one, so don't count on it.

Webmaster Central might not be your first destination every morning. As an alternative, anytime you think of it, you can type this in any Google search box to make sure you haven't got the badware flag: site:yourdomain.com.

StopBadware.org Clearinghouse database

Search for your site, using both the www and non-www forms because a search for one doesn't find the other.

McAfee SiteAdvisor safety and outlink reports

The report describes how many emails they received after registering at a site, how spammy the emails were, whether the site has outlinks to bad websites, and whether they found viruses or spyware on pages or in downloads. Users sometimes post public comments with complaints or praise. SiteAdvisor is a way to learn what others think of your site. It doesn't seem to be updated very often, however, so it's not an early warning system.

W3C HTML Validator

If your pages suddenly stop validating, it can be a sign that a malicious script inserted code at invalid locations in your files. The reported validation errors may point directly to the injected code.

Search engine result pages (SERPs)

At each of the popular search engines, watch for:

  • Pages that the search engine says are on your site, but that you didn't put there.
  • Text snippets that are wrong.

Questions are welcome in the discussion forum

 

 

Valid HTML 4.01 Transitional Valid CSS
View content labeling at ICRA.
Copyright ©2008 Steven Whitney. Last modified 04/16/2008.