KNOWNHOST KNOWLEDGE BASE

Hosting Question? Find the Solution - Browse our Guides, Articles, and How-To's

How to know if your site’s been hacked

The moment every site owner dreads – learning that their site has been hacked. Given the number of automated hacking tools in circulation, it’s no wonder that there aren’t more sites suffering this fate. If you’re wondering whether or not your site has been hacked, then read on to learn about some of the most common signs and symptoms and how you can confirm whether or not you’ve been hacked.

Signs You’ve Been Hacked

Unexpected Listings When Spot-Checking Search Results

Regularly taking a few minutes to spot-check how your site looks in search results is a prudent practice for site owners. Automated rank-checkers are one good way of staying on top of pages moving up or down in rankings, but there’s more.

It’s a good idea to invest a couple of minutes on a regular basis to just visit Google and enter the following in the search box: site:knownhost.com (replacing knownhost.com with your own domain).

If you notice some odd pages that you don’t recognize in the results, particularly ones with nonsensical titles or descriptions, you know that further investigation is required.

Pop the site into Google Safe Browsing and see if it reveals anything (again replace with your own domain): transparencyreport.google.com/safe-browsing/search?url=knownhost.com

You may also notice that the Google search results pointing to your site may have warning messages by the URL such as, “This site may be hacked” or “This site may harm your computer”.

Google Alerts You

There are plenty of reasons to sign-up for Google Search Console, including the fact that you can login and check the Security Issues section of your dashboard to find example URLs which Google has flagged as likely being hacked. Email alerts mean you don’t have to login quite as often.

Cloaking – is where assorted site users see different content. Most often this is done to serve hacked content to Google but normal content to human visitors so that Google will display the hacked page titles and meta descriptions in search results.

Diagnosing:

Google reported issues means checking the URLs in alerts and the Security Issues section of Search Console as well as using the URL Inspection Tool in Search Console as well to look for problems (even when you don’t see them in your own browser).

Notes:

  • don’t ignore the alerts after visiting URLs reported by Google and not seeing any problems, since hackers frequently use cloaking techniques
  • Google isn’t the only search engine that gets targeted or that offers tools for managing issues – Bing Webmaster Tools is another place to get signed up

Web Hosting Company Alerts You

It’s not great to receive an alert that your web hosting account has exceeded resources, particularly when you later find that it wasn’t because of the Slashdot Effect, but rather due to the site being hacked.

If you’ve found that bandwidth, memory, CPU cycles, I/O or other monitored resources have been exhausted, it’s time to quickly find the culprit.

Regularly logging in to cPanel and glancing down at your resource consumption on the dashboard homepage will give you a chance to notice issues before they become account-busters!

Diagnosing:

If you have multiple domains in the account, login to cPanel and check Metrics → Bandwidth to find which ones are using the most, then check Metrics → Visitors and select that domain report. If you only have one domain, go straight to Metrics → Visitors and select the report.

This report will be showing you what resources are being requested most recently. When you see a flurry of activity around something you didn’t create, it’s time to act.

KnownHost customers can contact technical support for assistance in this situation. You’re not alone.

Complaints About Email Not Being Received

Email spam is just as much a threat as web pages and both are part of your online presence. If ecommerce order confirmation or acknowledgement/thank you emails aren’t being delivered (or people are complaining about not receiving them anyway), that’s a sign of email deliverability issues.

Diagnosing

When domains or IP addresses are reported for sending spam, real-time spam blacklists can flag a sender, resulting in companies, network providers and internet service providers stopping email getting to the intended recipients. Which blacklist is determined by who reported the spam and how.

The key is finding whether you’re on a blacklist so that you can stop the spam and notify the blacklists that you’ve fixed the problem.

UltraToolbox and MxToolbox are free online tools that let you check multiple blacklists in one fell swoop. Links to both are below in the Handy Tools section.

Website Stops Responding

Distributed Denial of Service (DDoS) attacks can paralyze a website through the flood of requests being launched from assorted devices simultaneously. Sites can freeze, go offline and become open to compromise.

See how KnownHost protects customers from DDoS attacks, read more about how DDoS attacks work and how to know if it’s a DDoS attack responsible for the server not responding.

Diagnosing:

If your site is not responding and you can’t get logged in to check resources and logs, contact KnownHost support immediately. DDoS attacks are taken very seriously. Don’t forget to check out the above guide on how to know if it’s a DDoS attack.

Website Pages Redirect Unexpectedly

When people trust a website thanks to a long, successful relationship, they’re likely to click on links throughout the site without even giving them a second thought. That’s what hackers are hoping to capitalize on when they change links in the site so they point to some advert, spam, malware or other unsavory destination.

Running a regular crawl of your website can help you identify broken links (internal and external), 404 pages and bad redirects.

Diagnosing:

When you or the crawler notice that your links aim somewhere offsite, that’s one way of uncovering a hack. Another is when you look at analytics, like Google Analytics, and see that the time on page and other metrics are very different from a week, month or year ago.

You Receive a Ransom Message – Hacker Says You’re Hacked

In a high percentage of cases, this isn’t true at all, but rather an attempt to extort money from you via social engineering. Checkout our explainer about blackmail email scams on the KnownHost blog.

Diagnosing:

It probably isn’t a scam if you find that your email password has been changed without your consent, if you’re seeing password reset notifications, or unexpected emails in your sent folder.

Two-factor authentication is getting to be must-have technology as are unique, strong passwords.

On the other side of the coin, ransomware has gone wild in the last couple of years. Organizations large and small are suffering from data being stolen or getting locked out of their systems with demands for payment to unlock them (or return the data).

These are the times when you’ll be glad you’ve got regular, complete backups and a disaster recovery plan that includes wiping and reinstalling everything.

Diagnosing:

If confidential information has been included, you can verify the authenticity of the ransom demand. If your website has been defaced, email database spammed, system passwords changed or other key assets control lost, it’s likely you’ve got a real issue.

More Things You Can Do

Check for Hacked Site Data Leaks

It’s entirely possible that some of your data has been stolen by hackers who accessed databases of sites you’ve used. Some of these breaches have occurred on huge sites like Dropbox, LinkedIn, tumblr, Adobe, Trillian, Bitcoin Talk and too many more to list.

Using the same password on multiple sites is one way that hackers can use leaked login details for additional hacking of someone’s online presence. If your primary email gets compromised then password resets at many sites can be done by hackers, exponentially increasing their impact.

If you’re using the same password for your hosting account admin pages, cPanel, databases or other critical systems as one used on a breached site, the risks to your site are tremendous.

Diagnosis:

Check sites which have acquired leaded breach data and run your email addresses through the checker to see which sites, if any, have your profile details.

Stay Updated – Patchman

A huge percentage of hacks occur because content management systems haven’t had security patches applied in a timely manner.

If you opt for Patchman with your hosting account, automatic patching will be done for common apps like WordPress, Joomla, Drupal and osCommerce.

Besides checking for vulnerabilities and malware, Patchman checks for any outdated software on your account. For a couple of dollars per month, Patchman is high-value protection.

Proactive Monitoring

VPS and dedicated hosting customers should definitely consider choosing proactive monitoring for their account.

By receiving automatic alerts about all the monitored resources, you’ll never be caught unaware of an issue. Equally important, the system also automatically opens a ticket with tech support so that the situation gets rectified quickly.

Check out our blog coverage of the 15 ways proactive monitoring works for more details.

CSF/LFD

Combining a Stateful Packet Inspection (SPI) firewall with intrusion detection and login activity monitoring, ConfigServer Security & Firewall (CSF) with Login Failure Daemon (LFD) is more than just monitoring and alerts.

LFD features automated IP blocking of detected attackers, login brute force attempts, port scanners and loads more. It’s a great open source security measure for VPS users.

Absorb What is Useful

Visit the KnownHost blog, forums and wiki and brush up on your security knowledge including best practices in securing your sites and hosting account, key terminology, how to protect and where to turn for more details or assistance.

Handy Tools

Google Hacked Sites Troubleshooter – support.google.com/webmasters/troubleshooter/6155978?hl=en

Google Search Console Security Issues Report – search.google.com/search-console/security-issues

Google Safe Browsing Transparency Report – transparencyreport.google.com/safe-browsing/search

IsItHacked Multi-Hack Checker – isithacked.com

MxToolbox Blacklist Checker – mxtoolbox.com/blacklists.aspx

Sucuri SiteCheck – sitecheck.sucuri.net/

MxToolBox Blacklist Check – mxtoolbox.com/blacklists.aspx