There’s no doubt having your website infected is frustrating. But why is it actually so? What is wrong with being infected?
First let’s define what is an infection.
When your website is hacked, its contents are usually changed in one way or another. The hacker may change pages to add spam, or add additional pages to the site, usually with the intent of phishing (tricking users into parting with personal and credit card information). Alternatively, they may inject malicious code (malware)—for example, scripts or iFrames that pull content from another website that tries to attack any computer that views the page.
In all the cases generally it is said that a website is infected by malware. The term “malware” covers all sorts of malicious software designed to harm a computer or network. Kinds of malware include (but are not limited to) viruses, worms, spyware, and Trojan horses. Some hackers may even take administrative control over a hacked site.
So, the answer to question what’s wrong with being infected is twofold:
First, despite all the generous intentions of your website, it is simply spreading malware. So now your site turns to be on the bad side of internet. This is not only disappointing, but also could make serious impact on your site or business credibility and reputability, not talking about possible legal consequences.
Secondly, by having malware you get immediate direct penalty by losing traffic to your site. Your site will be included in various blacklists (including Google). Visitors will see a warning and will stay away from your site, sysadmins will add preventive measures forbidding to access your site from within companies internal networks and so on and so forth. So you’d better be clean!
According to StopBadware, most common forms of infections that StopBadware sees on compromised sites are:
- Malicious scripts
- .htaccess redirects
- Hidden iFrames
Malicious scripts are often used to redirect site visitors to a different website and/or load badware from another source. These scripts will often be injected by an attacker into the content of your web pages, or sometimes into other files on your server, such as images and PDFs. Sometimes, instead of injecting the entire script into your web pages, the attacker will only inject a pointer to a .js or other file that the attacker saves in a directory on your web server. To avoid detection and to mislead analytics scripts sometimes are divided into smaller parts. These parts can be spread on multiple files or even multiple websites and are combined upon running.
Many malicious scripts use obfuscation to make them more difficult for anti-virus scanners to detect:
Some malicious scripts use names that look like they’re coming from legitimate sites (note the misspelling of “analytics”):
The Apache web server, which is used by many hosting providers, uses a hidden server file called .htaccess to configure certain access settings for directories on the website. Attackers will sometimes modify an existing .htaccess file on your web server or upload new .htaccess files to your web server containing instructions to redirect users to other websites, often ones that lead to badware downloads or fraudulent product sales.
An iFrame is a section of a web page that loads content from another page or site. Attackers will often inject malicious iFrames into a web page or other file on your server. Often, these iFrames will be configured so they don’t show up on the web page when someone visits the page, but the malicious content they are loading will still load, hidden from the visitor’s view.
How to find out if my site is infected?
Also there are some symptoms that indicate about possible infection:
- First and most common form of notice includes third party notifications. Your visitors will see a warning when they try to visit a site from the search results pages. Also they could see a warning of their antivirus software upon visiting your site. If you or other people try to visit your website but get automatically taken to some other website instead, it’s another symptom of being hacked. Surely you’ll soon receive a phone call or email that will tell you about the infection.
- Another (indirect) symptom of possible infection is a sudden decrease of visits from search engines.
- Your site appears in search engines using absolutely irrelevant search terms.
- Your site could become less responsive. It takes longer to load web pages.
- Your site or some particular web pages have been removed from search engines.
- You notice strange files at your site that you didn’t put there.
- Last but not least, your AdSense account is blocked.
If you encounter one or more of these symptoms there might be a chance your website is hacked. There are some tools and services that let you check your website for malware or help to monitor your site’s status on a periodic basic. More on these tools will be in the upcoming posts.