Tell-tale Signs that a Site has been Compromised

April 8, 2013

If a website is compromised by a careful, talented, and well-funded attacker, then the scary reality is that no one will probably ever know that the site had been hacked at all. However, most attackers are not well-funded, not in the sense that we’re talking about, they’re using pre-made, for-profit exploit packs designed so that anyone, regardless of talent, can use them, and, like anyone else, they make mistakes.


Trying to spot top tier-type, nation-state funded attacks is a fairly futile exercise for the casual Internet user. Fortunately for us, military-hacker groups probably aren’t too interested in compromising our machines. That said, there are a lot of people out there that are very interested in compromising our machines, but again, these people are just like you or me, they make mistakes and they don’t have an unlimited pool of money at their disposal.

These are the sort of attackers that we need to worry about and here is a list of signs we can look for to help thwart their efforts:

Browser warnings are the first dead giveaway letting you know when a site is compromised. The search giant Google is heavily invested in trolling the net for safe sites and blacklisting dangerous hacked or compromised ones. You will occasionally see a warning that says “Warning: visiting this site may harm your computer” when you try to enter a site. Google claims that its false positive rate with these warnings is incredibly low, so this warning is a very strong indicator that there is something wrong with the site you are about to visit.

website virus

Some modern antivirus products have a built-in site checker, like the Kaspersky URL Advisor, which works as browser extension and informs users when their antivirus provider has reason to believe that a certain site is unsafe.

Safe Website

Also, if you enter a site and immediately notice that it has initiated a download onto your computer, then it’s a safe bet that there is something fishy going on there. As the security Journalist Brian Krebs says, “If you didn’t go looking for it, don’t install it!” The same should be applied to all Web-downloads, and the reality is that if you didn’t give permission for a download then nothing good can come of it. If Websites are automatically executing downloads, then that site is likely compromised.

If you’re familiar with the site you’re visiting, then abnormally spammy and seemingly random content or links that lead to strange and unrelated Websites are strong indicators of a compromise.

If you’re familiar with the site you’re visiting, then abnormally spammy and seemingly random content or links that lead to strange and unrelated Websites are strong indicators of a compromise.

We reached out to our friends at StopBadware, the non-profit anti-malware organization that attempts to make the Web safer by preventing compromises before they happen and by mitigating and remediating malware-infected sites if a compromise has already occurred. They informed us that search engine results can sometimes reveal the presence of a hacked site before a user even enters it. For example, if you’re trying to navigate to a site by way of a search engine and your searches are turning up bizarre search results, like offers for cheap designer watches and pharmaceuticals that still lead to the site you are looking for, then that site was likely compromised.

StopBadware also warned of strange redirects.

“One of the signs that a site is compromised is when that site redirects to a strange website, but only if you visit it from a search engine,” StopBadware told us. “This indicates a hacked .htaccess file, and while it’s very common, it can be difficult for website owners to detect because many of them don’t try to access their sites via Google or Bing or Baidu. To make things worse, sometimes these redirects can occur from pages that aren’t the home page, which means they’re even tougher to find if a site owner doesn’t know what to look for.”