How to Check if Your Website Has Been Hacked
When opening your website, you find something like this:
Photo source: hackademix
well it is clear that your website has been defaced and thus, you have been hacked. Nevertheless, this is just one of the several scenarios you may encounter.
Unluckily, the attacker’s goal is not always to show a precise message, prove that a specific vulnerability exists or even funny, spreading misleading messages. But there is far more than that at stake.
A lot of times, attackers adopt a “silent and conservative” approach to avoid detection and gain access to the target website. This way, it becomes easier to spread malware, infect users, and perform continuous monitoring and interaction without exploiting the application again. Make sure to test your web apps for any vulnerabilities.
So if you’re an IT Security professional tasked to maintain your organization’s website, it’s important to constantly monitor it for any suspicious activity. IT Security Researcher, Giuseppe Trotta, shares tips:
Steps to Check if You’ve Been Hacked
1. Security Tools
The web is full of useful security utilities that can help you detect if your website has suspicious activities. Some interesting tools are:
- Google Security Tools – Google’s scanners examine billions of websites daily, and when they detect unsafe data, the sites will show warnings on Google Search and in web browsers. It is possible to query the status of your website by simply running the URL here. Furthermore, if the website has been flagged as malicious, it is possible to request a “malware or unwanted software review“.
- Sucuri Malware and Security Scanner – This is another service that scans your website against common problems. Their scanner looks for outdated application, presence of malware, website blacklisting, also monitors DNS, SSL certs and WhoIs records.
- CMS-specific scanner – If your website is built using common CMS such as WordPress, Drupal, Joomla etc. there are several plugins you can use to perform a deeper analysis of your application. For example, WordFence for WordPress, or a standalone scanner such as JAMSS (Joomla! AntiMalware Scan Script) that works both for Joomla and WordPress
2. Manual checks
There is no doubt that tools have their limitations, and when these system tools fail, don’t forget to there is your brain!
- File system inspection – If you are a developer, then you can scan through your files. Based on the technology adopted, the attacker may target some strategic points, for example:
- .htaccess / web.config files: editing these files, it will be possible to remove some restrictive configurations, embedding malicious settings, etc.
- php, asp, jsp, … files: these can be modified to change the application behavior or can be web shells: executable code that gives attackers remote access to series of critical functions and data
- Log analysis – Checking your log files directory is also necessary. All web servers, FTP services, server-side languages, etc. log their activities: from the requests processed by the server to errors, etc. Looking at these files is a good habit to understand if anything suspicious happened. Clearly, the more the logs are used, it will be clearer what is happening on your system.
For example, something like this is an attempt to perform a directory traversal attack in order execute the windows cmd.exe program and list all files in a directory:
192.168.2.3 – – [18/Nov/2015:18:00:43 +0700]
“GET /utilities/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.1” 200 566 “-” “-“
Furthermore, if the system implements a Web Application Firewall (WAF) the level of suspicious activities detail increases consistently.
Note: since logs are often the only way to identify the causes behind an incident, attackers are aware of their value, so it is extremely important to adopt measures to protect these information.
- Scheduled processes – Another trick the attacker may employ is to take advantage of scheduled tasks in order to reinfect the system or perform other malicious activities. Here is an interesting read.
We have seen a simple checklist of what you can do to monitor if your website has been compromised. Using the mentioned tools combined with the manual checks we can have a fast overview of what’s happening on your system.
But be careful, if you “pass” all of them. It doesn’t mean your website has not been compromised or cannot be compromised! Securing a web application is not rocket since but neither is the adoption of a specific tool. It requires methodology.
Learn to test your web applications. Free Demo of the Web Application Penetration Testing training course
If you want to learn how to find bugs in web applications, then start for FREE with our Web Application Penetration Testing course and understand the techniques in web app pentesting. You can get your FREE trial here: WAPT Trial
Giuseppe Trotta is a security researcher and instructor in eLearnSecurity. He is the main developer of the Hack.me project and he is also involved in the management of Hera lab virtualization infrastructures.