8 Practical Tips for Detecting a Website Compromise for Free

Detect website compromises using host intrusion detection tools like OSSEC, network IDS watching for anomalies, and centralized log review. Tactical measures include scanning for iframes and obfuscated JavaScript, checking .htaccess files for malicious redirects, using remote scanners like Sucuri, and monitoring denylists.

A lot of websites are compromised without their owners noticing for days, weeks, even months that the sites are hosting illegitimate content, attacking visitors through malicious code or are being used as a command-and-control channel for a bot network. Below are my tips for detecting that your website was hacked for free. First, let’s remember the most common, strategic practices:

Deploy a host-level intrusion detection and/or a file integrity monitoring utility on the servers. The idea is to rely on signatures of attacks, system behavior anomalies and unexpected file changes to identify a security breach. OSSEC is a popular free tool for accomplishing this. An anti-virus tool might be a component of host-level intrusion detection, but is usually not sufficient.

Pay attention to network traffic anomalies in activities originating from the Internet as well as in Internet-bound connections. Network intrusion detection systems (e.g., Snort) can assist with this. Include in the effort an element of data loss detection, looking for sensitive information attempting to leave the environment. For instance, an e-commerce site can flag outbound traffic whose payload resembles a credit card number. Also, flag traffic going to known malicious hosts or networks.

Centrally collect and examine security logs from systems, network devices and applications. Doing this assists with troubleshooting operational problems and also helps identify security-related anomalies. Since people forget to review the logs on regular basis, also set up automated alerts to be notified of the more critical security events. There are a number of free log management tools that can be of help.

Here are additional tips that are of the more tactical nature, but that can be quite effective:

Use local tools to scan web server’s contents for risky contents. For instance, locating an invisible “iframe” HTML tag, JavaScript “eval” command, or the presence of obfuscation can indicate a compromise. Indicators of compromise can be present in server-side PHP files as well (e.g., “shell_exec” or “passthru” commands). Tools such as ClamAV and YARA can help you create the signatures and run automated scans to flag such anomalies. You can also scan a suspicious PHP file by uploading it to the free shellray webshell detector tool.

Pay attention to the web server’s configuration to identify directives that adversely affect the site’s visitors. Most notably, attackers have been known to modify or place .htaccess files on Apache servers to redirect visitors to other malicious URLs that host exploit kits. (Look for “RewriteCond” and “ErrorDocument” commands, for instance.)

Use remote scanners to identify the presence of malicious code on your website. Free tools for accomplishing this include Sucuri Site Check and QualysGuard. Such tools crawl your website looking for the signs of infection that include suspicious redirects and embedded client-side exploits.

Keep an eye on denylists of known malicious or compromised hosts in case your website appears there. Free resources to perform such look-ups include URLVoid, Unmask Parasites, MalwareURL and many others. Similarly, check for your website being listed in XSS Archive, where people report cross-site scripting vulnerabilities. Also keep an eye on relevant mentions in the social media as well; for instance, my proof-of-concept tool queries Twitter. For additional ideas along these lines, watch Kyle Maxwell’s presentation Open Source Threat Intelligence.

Pay attention to reports submitted to you by your users and visitors. Too often notices submitted to the company that its systems are vulnerable or were breached go unnoticed. Establish a process for how security weaknesses and concerns can be reported to you and make sure the workflow doesn’t let such reports slip through the cracks. Also, don’t “shoot the messenger” for reporting the issue to you. (See how not to respond to a security incident.)

Detecting data breaches can be a challenge, which is why so many companies are struggling with this. However, sometimes watching out for the few indicators of compromise outlined above can be enough to notice that your website was hacked. Of course, devoting time to creating automated and systemic controls to identify such incidents will help you flag problems early, before they escalate into a major ordeal. (For additional tips, see CERT Societe Generale’s website defacement cheat sheet PDF.)

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →