What are the signs your web application has been hacked?

Your web application is the face of your business. It is the client-server software exposed to the world. For instance, when you want to book an airline ticket you visit the airline’s website to make the reservation. This public exposure and interaction is highly convenient to current and potential customers. However, it also makes your site susceptible to attacks.

In many cases, it’s easy to identify when a web application is compromised. In many cases—but not always. In fact, the M-Trends 2016 report from FireEye shows that it takes an average of 99 days to detect a security breach. Surprisingly, most reported intrusions are not detected by internal security processes. Rather, they’re disclosed by news reports, customer complaints, law enforcement, and other external sources.

It’s important to recognize that every attack is different. And attack consequences also vary. Here are six ways to determine if your web application has been compromised.

Website defacement

One of the most common and notorious types of attack is website defacement. It refers to the unauthorized modification to the appearance of the web application. In some cases, the web content is altered. In others, the web application is redirected to (or replaced by) a completely different website.

Abnormal behavior

Changes in web application performance can also be a sign that it has been breached. If the application is displaying unexpected or unintended behavior, that should set off suspicions. Abnormal behavior may include:

• Slow loading
• Network traffic fluctuation
• Modified code or data
• Unexpected pages displaying (such as excessive advertising)
• Application redirects to a different page or site

Log entries

Monitoring log messages can reveal malicious activity taking place within the application. Some suspicious signs include:

• Multiple errors taking place in a short period within the database logs
  • This may suggest that a threat agent is trying to exploit a SQL injection vulnerability
• Suspicious inbound and outbound network connections
• Suspicious admin-level tasks (e.g., user account creation)

New users or processes

Monitoring user accounts and processes can also help detect a breach. For example, it can help you detect when:

• Unknown miscellaneous user accounts have been created
• Existing account passwords have been changed
• The server is running an unknown process

Web application file changes

Changes to web application files should be investigated. Files containing time stamps may help identify whether a file has been recently modified or deleted. This can also reveal any unauthorized modifications. Hackers can modify files to run malicious code. Additionally, new files can be created—if unaccounted for, these can be a sign of a compromise.

Google search results

Changes to search results can also flag a problem. Google warns users if it scans a website and discovers any problems. It often removes any identified hacked sites from search results. However, in some cases, breached sites may still be listed. These may be flagged with a message reading “This site may be hacked” or “This site may harm your computer.”