An important aspect of monitoring your site is to notice unusual changes, things that are different from normal, so make a habit of paying attention now to what is normal and usual, while your site is not hacked.
Make a habit of checking the "Last login from:" box to make sure it shows your IP address from the last time you logged in.
Google account (free) and login required. Google notifies you in Webmaster Tools if your site gets flagged as harmful. They often notify you by email, too, if they have your email address. You can also check your Google status anytime by typing this in a Google search box and viewing the results: site:yourdomain.com.
Warning messages in Google search results are based on a Google database. You can view an up-to-date report from the database for any website by entering this URL in your browser address bar. Replace EXAMPLE.COM with the address of the website you want to check:
http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM
If your site is flagged, you'll find a short summary of badware behavior found.
Reports the threats, categorized by type, that have been found on websites. You can go directly to the report for any site with this address (replace EXAMPLE.COM):
http://safeweb.norton.com/report/show?url=EXAMPLE.COM
The report describes how many emails they received after registering at a site, how spammy the emails were, whether the site has outlinks to bad websites, and whether they found viruses or spyware on pages or in downloads. Users sometimes post public comments with complaints or praise. SiteAdvisor is a way to learn what others think of your site. It doesn't seem to be updated very often, however, so it's not an early warning system.
If your pages usually validate ok, but suddenly stop validating, it can be a sign that new code was inserted at invalid locations in your files. The reported validation errors might be at exactly the locations where the injected code is.
At each of the popular search engines, watch for:
- Pages that the search engine says are on your site, but that you didn't put there.
- Text snippets that are wrong, containing text you did not put on the page.
Always use an up-to-date antivirus and antispyware program on your own PC so you'll be alerted if your website starts distributing malware. Use "real-time" scanning protection, which will catch malicious files as soon they are received. An on-demand scanner (such as a free online scanner, or a once-a-day manual scan) isn't enough. By the time you identify and quarantine the virus, the damage it was intended to cause might already be done.
Use your browser's View Source feature occasionally to inspect your page's HTML code for text injections of invisible iframes, JavaScript, and links to malicious websites. These are often the definitive indicators that the pages have been tampered with. The "badware investigation" article referenced above shows examples of what these things look like. They're just text. Once you know what to look for, they're easy to find.
It's a good idea also to check a few files on your server from time to time. Open your home page in your control panel's File Manager and inspect the HTML for the signs of tampering described above.
Whenever you are viewing a list of the files on your server (such as in cPanel > File Manager or by FTP), be alert for file names you don't recognize or sizes that are obviously wrong (such as a size of 0 for a file you know should be bigger).
The files on your server should never be different from what they were when you originally uploaded them. A file getting modified on your server without your permission is not normal. If it happens at all, it is an indication that something is wrong.
10) HTTP access log
This log records the requests for pages and other files from your site.
If there are successful requests (HTTP result code 200) for files you didn't put on the site, it's suspicious. It's even more suspicious if the filenames are variations of these often-used names for hack scripts: id.txt, cmd.txt, safe.txt, r57.txt, test.txt, echo.txt, php.txt, load.txt, or mic.txt.
Don't panic just because you find mentions of those filenames. You probably will find them. It matters where the names appear. Here are two different types of requests:
1. This one is a "Remote File Inclusion" (RFI) attack on your site. The GET command is requesting your index.php. It is trying to use the "query string" (the part after the first question mark) to inject safe.txt from the other site into your site. This is cause for concern because if it succeeds, your site will be hacked. However, this log line does not mean it has succeeded. It is just an attempt, and it is normal to find many of these attempts in your logs:
2. If the attack on your site does succeed (which you cannot determine from your log data alone), here is what famousuniversity will see in their log. This is a sign, to them, that they have been hacked. This GET is requesting safe.txt. If the result code is 200 (Success), it means the file was served, so it must be on the server. If they know that a file called safe.txt shouldn't be there, it means they were hacked and it was put there by somebody else, so they should find and examine the file. It is usually a PHP script intended to be used in attacks on other sites. I use famousuniversity as an example because my site actually has been attacked with scripts hosted at famous universities whose user accounts were compromised. It happens.
As demonstrated in example 1, your access log is the place to learn how your site is being attacked, whether successfully or not, so you can learn what things you need to defend against.
Near-misses are good to learn from. If you find an attack that did not succeed in doing harm but did return a result code of 200 (meaning the server accepted the request and sent a file), it is a good idea to determine the malicious feature of the attack code and revise your .htaccess to block those types of requests. The goal should be for every known type of attack to get a 403 Forbidden result instead of 200. That will mean that your server rejected the request "at the front door", and the attack never had the opportunity to do harm. The Website Security article linked at the top of this page has some specific methods for this type of request blocking.
Your HTTP and FTP access logs (see the next section) are usually available for download at cPanel > Raw Log Manager. The log files are usually stored outside public_html, sometimes in a folder called /logs, which you can find with cPanel > File Manager or with FTP.
11) FTP access log
Unauthorized users, IP addresses, or file transfers in your FTP log are proof that your site is compromised.
No comments:
Post a Comment