8 Practical Tips for Detecting a Website Compromise for Free

A lot of websites are compromised without their owners noticing for days, weeks, even months that the sites are hosting illegitimate content, attacking visitors through malicious code or are being used as a command-and-control channel for a bot network. Below are my tips for detecting that your website was hacked for free.

First, let’s remember the most common, strategic practices:

  • Deploy a host-level intrusion detection and/or a file integrity monitoring utility on the servers. The idea is to rely on signatures of attacks, system behavior anomalies and unexpected file changes to identify a security breach. OSSEC is a popular free tool for accomplishing this. An anti-virus tool might be a component of host-level intrusion detection, but is usually not sufficient.
  • Pay attention to network traffic anomalies in activities originating from the Internet as well as in Internet-bound connections. Network intrusion detection systems (e.g., Snort) can assist with this. Include in the effort an element of data loss detection, looking for sensitive information attempting to leave the environment. For instance, an e-commerce site can flag outbound traffic whose payload resembles a credit card number. Also, flag traffic going to known malicious hosts or networks.
  • Centrally collect and examine security logs from systems, network devices and applications. Doing this assists with troubleshooting operational problems and also helps identify security-related anomalies. Since people forget to review the logs on regular basis, also set up automated alerts to be notified of the more critical security events. There are a number of free log management tools that can be of help.

Here are additional tips that are of the more tactical nature, but that can be quite effective:

  • Use local tools to scan web server’s contents for risky contents. For instance, locating an invisible “iframe” HTML tag, JavaScript “eval” command, or the presence of obfuscation can indicate a compromise. Indicators of compromise can be present in server-side PHP files as well (e.g., “shell_exec” or “passthru” commands). Tools such as ClamAV and YARA can help you create the signatures and run automated scans to flag such anomalies. You can also scan a suspicious PHP file by uploading it to the free shellray webshell detector tool.
  • Pay attention to the web server’s configuration to identify directives that adversely affect the site’s visitors. Most notably, attackers have been known to modify or place .htaccess files on Apache servers to redirect visitors to other malicious URLs that host exploit kits. (Look for “RewriteCond” and “ErrorDocument” commands, for instance.)
  • Use remote scanners to identify the presence of malicious code on your website. Free tools for accomplishing this include Sucuri Site Check and QualysGuard. Such tools crawl your website looking for the signs of infection that include suspicious redirects and embedded client-side exploits.
  • Pay attention to reports submitted to you by your users and visitors. Too often notices submitted to the company that its systems are vulnerable or were breached go unnoticed. Establish a process for how security weaknesses and concerns can be reported to you and make sure the workflow doesn’t let such reports slip through the cracks. Also, don’t “shoot the messenger” for reporting the issue to you. (See how not to respond to a security incident.)

Detecting data breaches can be a challenge, which is why so many companies are struggling with this. However, sometimes watching out for the few indicators of compromise outlined above can be enough to notice that your website was hacked. Of course, devoting time to creating automated and systemic controls to identify such incidents will help you flag problems early, before they escalate into a major ordeal. (For additional tips, see CERT Societe Generale’s website defacement cheat sheet PDF.)


About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more