The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

What are the signs your web application has been hacked?

Black Duck Editorial Staff

Apr 27, 2017 / 3 min read

Your web application is the face of your business. It is the client-server software exposed to the world. For instance, when you want to book an airline ticket you visit the airline’s website to make the reservation. This public exposure and interaction is highly convenient to current and potential customers. However, it also makes your site susceptible to attacks.

In many cases, it’s easy to identify when a web application is compromised. In many cases—but not always. In fact, the M-Trends 2016 report from FireEye shows that it takes an average of 99 days to detect a security breach. Surprisingly, most reported intrusions are not detected by internal security processes. Rather, they’re disclosed by news reports, customer complaints, law enforcement, and other external sources.

It’s important to recognize that every attack is different. And attack consequences also vary. Here are six ways to determine if your web application has been compromised.

Website defacement

One of the most common and notorious types of attack is website defacement. It refers to the unauthorized modification to the appearance of the web application. In some cases, the web content is altered. In others, the web application is redirected to (or replaced by) a completely different website.

Abnormal behavior

Changes in web application performance can also be a sign that it has been breached. If the application is displaying unexpected or unintended behavior, that should set off suspicions. Abnormal behavior may include:

  • Slow loading
  • Network traffic fluctuation
  • Modified code or data
  • Unexpected pages displaying (such as excessive advertising)
  • Application redirects to a different page or site

Log entries

Monitoring log messages can reveal malicious activity taking place within the application. Some suspicious signs include:

  • Multiple errors taking place in a short period within the database logs
  • Suspicious inbound and outbound network connections
  • Suspicious admin-level tasks (e.g., user account creation)

New users or processes

Monitoring user accounts and processes can also help detect a breach. For example, it can help you detect when:

  • Unknown miscellaneous user accounts have been created
  • Existing account passwords have been changed
  • The server is running an unknown process

Web application file changes

Changes to web application files should be investigated. Files containing time stamps may help identify whether a file has been recently modified or deleted. This can also reveal any unauthorized modifications. Hackers can modify files to run malicious code. Additionally, new files can be created—if unaccounted for, these can be a sign of a compromise.

Google search results

Changes to search results can also flag a problem. Google warns users if it scans a website and discovers any problems. It often removes any identified hacked sites from search results. However, in some cases, breached sites may still be listed. These may be flagged with a message reading “This site may be hacked” or “This site may harm your computer.”

Think you’ve been hacked? What’s your next move?

The sad truth is that a great deal of web application owners aren’t aware that their applications have been hacked. That’s why it’s critically important to recognize the signs. If you suspect that your application has in fact been hacked, here’s how to act to prevent further damage:

  • Take it offline. Temporarily shut the site down for cleaning and resolution of issues. During this period, examine files and code for unauthorized changes or malicious code.
  • Backup and restore. Create a backup of the application and server for forensic investigations. Restore a clean, stable copy of the application instead of merely uninstalling or cleaning the affected version.
  • Update passwords. Once the restored changes are in place, update all associated passwords. Enable multi-factor authentication whenever possible.
  • Harden the application. Never use default passwords and follow the principle of least privilege (only give a user enough but not all access).
  • Logging and monitoring. Consistently monitor the web application for unusual traffic, behavior, or other suspicious activities. Use a monitoring service that includes version control.
  • Utilize scanners. Malware scanners, source code scanners, or remote scanners should be used to detect abnormalities.

While it isn’t a pleasant experience to get hacked, it still happens. Knowing how to identify a hack is the first step to helping you minimize the damage and maintain business continuity.
 

        Find industry-leading tools and services for every stage of your SDLC.

Continue Reading

Explore Topics