Most customers discover that their website is hacked on seeing the ‘Red Screen of Death’ by Google or when a customer tells them. This can be dangerous because it means your website has been infected for a long time and may have damaged your website’s reputation and privacy.
Websites have become central to all businesses these days. They handle everything from e-Commerce transactions, customer data, marketing and everything in between. Yet website security seems to be ignored while building products and end up being hacked. There is a saying in the Security Industry:
There are two types of companies in the world: those that know they’ve been hacked, and those that don’t.
Every website regardless of where it’s hosted, size of the development team, HTTPS is vulnerable to being hacked without adequate security measures. Security is an on-going process and 100% security is a myth. We at Astra strongly encourage our customers to take proactive security measures and help them in being prepared to mitigate any hacking scenario.
With this article, let us try to spot any signs that your website may be hacked.
15 Signs Your Website Has Been Hacked
1. Google Chrome (or another browser) Shows A Warning When Visiting Your Website
If your customer (or you) see a message from Google Chrome with a warning message saying that your website may be hacked, it probably is. This message is shown when your website has been blacklisted by Google Safe Browsing.
Popular browsers like Google Chrome, Mozilla Firefox, Safari & Opera use Google’s blacklist to show warning messages to visitors. Look at some warning messages that Google shows when your website is hacked. The warning messages vary depending on what Google finds on your websites but they more or less look like this:
2. Google Search Console Sends A Message Saying Your Website Is Hacked Or Has Malware
If your website is linked to the Google Search Console (earlier called Google Webmaster Tools), Google will send you a message (and email) notifying you about your website being hacked. This means that Google has detected some malicious code, spam content or has reasonable doubt to believe that your website has been compromised. Check our detailed blog on how to fix social engineering content and to reactivate disapproved Google Ads.
Usually, this message will contain details of the suspected URLs and possible attack vectors. Later in this guide, we will talk about what to do when you receive such a message.
3. Your Hosting Company Disabled Your Website
Website hosting companies regularly scan their servers for malicious code and often immediately disable hacked websites to ensure the infection is not spread to other websites on that server. There can be numerous reasons why your hosting company may disable your website including but not limited to:
- Malware Code is found on your server
- Your website domain has been blacklisted by Google, Norton Safe Web, Spamhaus, etc.
- Spam or Phishing emails being sent from your server
- High CPU usage due to malicious code running on your website
Here is a detailed blog on reasons and solution if your hosting company (Godaddy, HostGator, Hostinger, etc.) has suspended your account.
4. Outbound Ports 80, 443, 587 and 465 For Your Account Are Blocked
In some cases, the hosting company may limit resources to your website instead of completely disabling it. GoDaddy, HostGator & BigRock have automated systems to block connections to outbound ports like 80, 443, 587 and 465 for your account. Such security measures are put in place to contain the malware infection and prevent spam from the servers.
Once the malicious files have been quarantined from the server and your website passes the automated Virus Scanner, you can request to be unblocked.
5. Customers Complain About Their Credit Card Being Hacked
Over the years, hackers have become sophisticated and use malicious techniques to collect Credit Card information entered or stored on your website. They sell these card details on the internet which are then used to make a fraudulent transaction of varying amounts (From $1 to $1000 or more).
Such attacks are targeted and are caused due to security vulnerabilities in your e-Commerce store. If you are using a Content Management System (CMS) like Magento, OpenCart or PrestaShop, one of the installed plugins might be containing some critical security flaws.
Related Article – Credit Card Hack in Magento, OpenCart & WooCommerce
6. Your Emails Are Sent To The SPAM Folder
Hackers are known to use malware on hacked websites to send spam emails to a huge number of people. Due to the spammy nature of the emails, email servers around the world may have blacklisted your server and it’s IP address. As a result, even legitimate emails being sent by you end up in the spam folder. Every email in the spam folder is a loss of business & online reputation!
Our security researchers recently found malicious jQuery code in a huge number of hacked Magento Stores. This tiny code snippet sends credit card information to malicious servers on the Checkout page. If you are facing similar problem check our detailed blog on Credit/Debit card malware hack.
8. Your Website Becomes Very Slow And Shows Error Messages
If you notice that your website has suddenly become very slow and shows error messages, it is likely that malware is utilizing your server resources. Most targeted pages are the checkout, payment, login and signup pages. For a page that normally loads in 4 seconds if it takes 10+ seconds, something is wrong.
9. You Find Unexpected Error Messages In Your Error Logs
Often you will find unexpected messages in the error logs about deprecated functions, undefined offsets, connection denied or other errors. If the file path or error looks unfamiliar, verify the authenticity of the code or run a malware scan. Some of the most common error messages are:
PHP Deprecated: Function ereg_replace() is deprecated in /home/xxxxxxxx/public_html/js/extjs/resources/images/magento/grid/kala.php(1) : eval()'d code on line 1
PHP Notice: Undefined index: _upl in /home/xxxxxxxx/public_html/index.php on line 64
PHP Fatal error: require_once(): Failed opening required '/home/xxxxxxxx/public_html/js/shell.php
PHP Parse error: syntax error, unexpected 'if' (T_IF) in /home/xxxxxxxx/public_html/js/index.php on line 40
10. You Find New Admin Users Or FTP Accounts Which You Haven’t Created
If you find new admin users, database users, FTP users it is a strong sign that you are hacked. Privileged accounts are left behind by hackers to continue having access to your website and server. Such accounts are used to backdoor your website and access if whenever they wish to.
Check our detailed blog posts how to safeguard admin panel for various CMS (WordPress, Magento, Opencart, Joomla etc.)
11. Files Have Been Recently Modified
If you notice core system files being recently modified, compare the files to earlier versions to find what has changed. An attacker could have modifies the files to run malicious code, send spam emails or create back-doors to your website.
If there are files with suspicious looking filenames, server-side scripts (.php, .aspx, .py etc) files in upload directories, it is a strong indication that your website is hacked.
Related Articles – How to identify & fix hacked WordPress files
12. Ads & Pop-ups Open When Visiting Your Website
If your website visitors see spam advertisements or popups, your website is likely to be compromised due to Cross-site Scripting (XSS) or malicious code injection. Hackers earn money from ad impressions. Google safe browsing team will send you a mail that they have detected social engineering content on your website.
13. Your Website Is Being Redirected to Hacked Sites
Again a sign of Cross-site Scripting or Server-side code manipulation where a hacker is able to redirect your web traffic to phishing pages, compromised websites or even competitor websites.
14. You See A Traffic Spike, Sometimes On Pages That Don’t Exist
Hackers use your hacked website for ‘spamvertising’ causing a traffic spike. Spam emails are sent from your server with links to existing or new pages that are created by the hacker. This comes from the words “spam” and “advertising”.
Spamvertising is used to vandalize blogs, website, forums and comment sections with hyperlinks in order to get a higher search engine ranking for the hacker’s website.
15. Unknown Code Or Redirects In The .htaccess File
In most cases of malicious redirects, the .htaccess file has been hacked and injected with redirection code. This is possible through “backdoor(s)”that a hacker may have placed on website files. Some of the possible symptoms:
- Your site shows a blank page and doesn’t load
- Your site gets redirected to some malicious website
- Your site redirects you to Google
- Your site can’t be accessed by Google
- Your .htaccess file keeps getting modified
What To Do If You Suspect Your Website Is Hacked
1. Run A VirusTotal.com Website Scan: VirusTotal is an amazing tool backed by Google which simultaneously scans over 70+ major blacklist and malware engines to check whether your website is hacked or not.
2. Check Blacklist Status on Google Safe Browsing Site Status page: Simply replace the ‘getastra.com’ with the URL of your website at the end of the URL and it will show you the blacklist status of your website with Google. It also shows you the details of the hack and steps you should take to fix this.
3. Disable Access To Your Website: Before any serious damage is done and the customer gets to know about the hack, put your website in maintenance mode and restrict access only to authorized users. You can do this by placing a .htpasswd.
4. Run The Virus Scanner In Your cPanel: Most of the hosting providers have automated Virus Scanners in the cPanel dashboard to find any known malware. These scans perform a basic search and help you identify the infected files. However, keep in mind that these scanners do not identify the reason for the hack, the vulnerability scanners do not protect your website from being re-infected.
5. Protect Your Website With a Website Firewall (WAF): Protect your website with a firewall like Astra, which will prevent any such hacks in the future and ensure your website doesn’t get hacked. A web application firewall monitors the incoming traffic on your website and blocks the malicious requests. With Astra, you can also block bad bots and automated security tools by laying our strategic ‘honeypots’ and other sophisticated mechanisms.
6. Get Professional Website Malware Cleanup: You can engage security professionals to clean the hacked website for you. Astra provides Unlimited Priority Malware Cleanups with its 1 year Pro & Business plans. Malware cleanup with the protection of a Website Firewall. Contact us for a complimentary security consultation.