There are many ways your server can be compromised. In this article, I try to sum up the top 5 signs, which show your server has been compromised through your website. Your website is a very vulnerable part of your server, so many attacks targeting this interface.
Not only big enterprises, like Sony or Apple, can be the target of hackers. SMEs are now being pinpointed by digital attackers as well. Only in the UK, nearly three-quarters (74%) of small organisations reported a security breach in the last year.
However, the majority of cyber breaches could be prevented by adopting some of the basics.
And when a lone hacker is earning between $60,000 to $100,000 per month by using an automated attack took to send around one million spam emails a day, you can be sure you’ll became their target sooner or later.
But let’s see what are the signs that you don’t want to miss:
1. Your IP hits a spamlist
One of the most frequent goal of hackers is to use your server as a spam distribution point. Hackers will infect your files and install malicious code to set up a backdoor, they can use to control the resources of your server. Sending spam is still a good business for cybercriminals, so they set up botnets to automatically find and infect vulnerable servers and often they target vulnerable web services.
2. Your DataCenter complains about outgoing DoS
Denial of service attacks are also very easy-to-sell services on the dark marketplaces, so bad guys will probably also use your resources to attack other innocent servers. If your datacenter has good enough monitoring tools they will tell you if your server is involved in a DDoS attack. If this happens, you can be sure your server is compromised and has become part of a botnet.
Did you know your server can be part of more different botnets at the same time? Even worse, some botnets are chasing your server for infections it already has and use that infection to re-infect your server with additional malware and make it part of other botnets, too. If you are using some iptables rules to detect outgoing DoS attacks, it is also useful, and can alert you. Unfortunately, it is hard to find the actual infection based on the only fact your server is flooding other servers.
3. Your website is marked as dangerous by browsers and search engines
Web sites are extremely high risk assets of your IT infrastructure. As there are many websites out there on the Internet, many botnet owners are specialized for exploiting one specific kind of vulnerability. But as there are a lot of different botnets constantly scanning and challenging webpages if those are vulnerable, your websites will be exploited for sure within a short period of time. If your website is exploited, it means the attacker can control a big portion of your server capacity. To protect their users against different infections, browser developers and search engine providers try to mark infected websites and then deny or restrict users from accessing the website. If your website is marked by a browser or search engine, it is a clear sign you have been hacked, and there are open vulnerabilities around your server or website.
4. Your website behaves unexpectedly
Sometimes attackers will inject a code to your website to gain money by showing advertisements, infecting or simply using your users’ browser for DDoS attacks. About a month ago there was a case when a well-known football team’s webpage has been infected. The intruders injected one line of extra javacript code, that made advertisements popping-up occasionally. It was quite hard to detect the deface, as the page was working more or less properly, and the ad was popped-up only sometimes.
5. You get an incident report from us
Our mission is to make the Internet a safer place, so we are not only creating a server security software, but trying to help anyone whose server has been infected. When we detect an attack against a BitNinja protected server, we register the attack, and every week we send a report to the owner of the source of the attack to help them fix the infection. In most of the cases the owners don’t even know what their resources are used for.
Have you received an incident report from us? Contact us via email, and we are happy to help you detecting the infected files and fixing it.
Your server and the websites on your server are under constant scanning about different vulnerabilities. The symptoms above are clear alerting signs that your assets have been compromised. At the same time, there are many other infections that won’t reveal themselves and will consume your resources in silently. So just by not having these symptoms you can’t be sure, you haven’t been infected.
The best way to manage it is to become proactive instead of staying reactive.
Here you can read more about major attack types and what tools to use against them.
BitNinja is an easy-to-use server security tool which protects your servers/websites against 99% of cyberattacks.