Signs of Compromise: How to tell if your site has been hacked

The SSL Store has published a guide exploring the digital fingerprints left whenever a website has been hacked or compromised. This guide comes in the wake of a report published by the Federal Bureau of Investigation regarding the recent Zeppelin ransomware attack, which left behind hash digests that indicated where the ransomware had been. However, any malware will typically leave behind a set of digital indicators pointing to their recent activity.

Some of these indicators are noticeably disruptive to the performance of the site, such as:

  • Phishing or malicious emails sent from your domain
  • Your domain takes a reputation hit for being reported as sending spam
  • Discovering known malicious files on your devices or network
  • Slow network connections
  • Large amounts of outbound traffic on your network
  • Inbound traffic from unusual or high-risk geographic locations
  • Unusual traffic on privileged user accounts
  • Account or access-related issues
  • New account creation outside normal business hours
  • Unknown or unauthorized system configuration changes
  • System or data corruption
  • Data breaches or compromises of third-party software or service providers you use

The article then drills down into these in more depth and provides helpful tips on how best to keep alert to these indicators and what to do if you happen to notice any of them. In general, they recommend doing the following:

  • Implement any monitoring software or applications available to your content management system or network.
  • Subscribe to or follow any publications regarding cybersecurity, particularly from the FBI or other LEOs.
  • Educate employees about best practices with respect to cybersecurity.
  • Ensure a regular update cycle for any and all applications you use. If any applications are not being maintained or updated, ensure that the system is replaced by one that is.