8 Strategic and Tactical Tips for Detecting a Website Compromise

A lot of websites are compromised without their owners noticing for days, weeks, even months that the sites are hosting illegitimate content, attacking visitors through malicious code or are being used as a command-and-control channel for a bot network. Below are my 10 tips for detecting that your website was hacked.

First, let’s remember the most common, strategic practices:

  • Deploy a host-level intrusion detection and/or a file integrity monitoring utility on the servers. The idea is to rely on signatures of attacks, system behavior anomalies and unexpected file changes to identify a security breach. OSSEC is a popular free tool for accomplishing this. An anti-virus tool might be a component of host-level intrusion detection, but is usually not sufficient.
  • Pay attention to network traffic anomalies in activities originating from the Internet as well as in Internet-bound connections. Network intrusion detection systems (e.g., Snort) can assist with this. Include in the effort an element of data loss detection, looking for sensitive information attempting to leave the environment. For instance, an e-commerce site can flag outbound traffic whose payload resembles a credit card number. Also, flag traffic going to known malicious hosts or networks.
  • Centrally collect and examine security logs from systems, network devices and applications. Doing this assists with troubleshooting operational problems and also helps identify security-related anomalies. Since people forget to review the logs on regular basis, also set up automated alerts to be notified of the more critical security events. There are a number of free log management tools that can be of help.

Here are additional tips that are of the more tactical nature, but that can be surprisingly effective:

  • Use local tools to scan web server’s contents for risky contents. For instance, locating an invisible “iframe” HTML tag, JavaScript “eval” command, or the presence of obfuscation can indicate a compromise. Indicators of compromise can be present in PHP files as well (e.g., “shell_exec” or “passthru” commands). ClamAV, YARA and Vscan can help you create the signatures and run automated scans to flag such anomalies.
  • Pay attention to the web server’s configuration to identify directives that adversely affect the site’s visitors. Most notably, attackers have been known to modify or place .htaccess files on Apache servers to redirect visitors to other malicious URLs that host exploit kits. (Look for “RewriteCond” and “ErrorDocument” commands.)
  • Use remote scanners to identify the presence of malicious code on your website. Free tools for accomplishing this include Sucuri Site Check and QualysGuard Malware Detection. Such tools crawl your website looking for the signs of infection that include suspicious redirects and embedded client-side exploits.
  • Pay attention to reports submitted to you by your users and visitors. Too often notices submitted to the company that its systems are vulnerable or were breached go unnoticed. Establish a process for how security weaknesses and concerns can be reported to you and make sure the workflow doesn’t let such reports slip through the cracks. Also, don’t “shoot the messenger” for reporting the issue to you. (See how not to respond to a security incident.)

Detecting data breaches can be a challenge, which is why so many companies are struggling with this. However, sometimes watching out for the few indicators of compromise outlined above can be enough to notice that your website was hacked. Of course, devoting time to creating automated and systemic controls to identify such incidents will help you flag problems early, before they escalate into a major ordeal. (For additional tips, see CERT Societe Generale’s website defacement cheat sheet PDF.)

Lenny Zeltser

32 notes

Show

  1. lennyzeltser posted this

Blog comments powered by Disqus

  • posted 16 June, 2011

  • 32 notes for this post