How can one identify hacked webservers?

Rob Hindle0 March 12, 2013
Pinterest Stumbleupon Whatsapp

Yesterday I got an email from a friend with nothing in it, but a link to a website. The link was a domain name followed by a lot of garbage directory names like this www.example.com/oyv/q/xljoz/wfcy/zkibb/uwde

Now I’m sure all MakeUseOf readers know (I hope) that’s extremely suspicious and not to click the link so I’m thinking about those who don’t know it’s dangerous.

I’m concerned that the normally very good Gmail filters didn’t spot there was a problem, nor did OpenDNS, nor did my usual PC security suite, so I checked the domain name against email blacklists – came up clean.
I’d had a similar incident a couple of weeks ago with the link going to a different domain, so I ran the blacklist check on that too – no blacklisting reports. Netcraft gives that link from 2 weeks ago a high risk rating, but Netcraft base their assessment on “…site longevity, hosting location and historical trends” (the site was only set up in July 2012) rather than stronger danger signals.

It looks to me as if these domains have been hacked, but rather than vandalise them the hacker has buried some malware deep in their directory structure and is then directing traffic there. The website owner is probably unaware – or perhaps pleased because he’s seeing a boost in web site visitor numbers, perhaps congratulating his SEO…

So my question: does anyone know of any effective and safe way of checking those links and of any good reporting mechanisms.

Ads by Google

  1. Chinmay Sarupria
    March 17, 2013 at 4:20 pm

    You should also try Comodo Web Inspector
    http://app.webinspector.com/online_scan
    Also run Zulu URL Risk Analyzer
    http://zulu.zscaler.com/

    And if you find any shortened URL and you want to unshorten it without clicking then you should check out this site:
    http://unshort.me/

  2. Chinmay Sarupria
    March 17, 2013 at 10:08 am

    Hello Rob,

    URLVoid is a service which scans websites and detect if it is malicious or not.
    http://www.urlvoid.com/

    • Rob Hindle0
      March 17, 2013 at 1:26 pm

      Thanks.
      At first glance urlvoid looked promising but I found a reviews suggesting it may be linked with some shady characters. Of course the problem with reviews on the Internet is you can never tell which are legitimate, which created by an interested party and which by a competitor...

      Anyway I took a chance. It was very fast to respond but didn't identify either of my examples as bad.

      It looks as if they are reliant on aggregating data from other sources such as Alexa.

    • Rob Hindle0
      March 14, 2013 at 9:57 am

      Please read the question. I'm not trying to find out if MY server is hacked, I'm looking for a security service that identifies whether servers people are being induced to visit have been hacked.

    • ha14
      March 14, 2013 at 11:28 pm

      i doubt that there is kind of online sever scanner like URL scanners
      if there is URL link try to scan with virustotal.

  3. Jan Fritsch
    March 13, 2013 at 4:41 am

    I would say it's almost impossible to spot a hacked webserver without having actual management or root SSH access to the operating system. Yes a hacker could hide some code somewhere on the server but he could very well just use a redirect script or some XSS vulnerability of one of the sites.

  4. Oron Joffe
    March 12, 2013 at 8:44 pm

    I've seen messages like this before, including very recently (last week). The links pointed, just as you describe, to a redirect page on a valid site, which redirected to completely different domain. I had a close link at the mail message and found that the sender's name & time of sending were encoded into the URL. Obviously it's an exercise in tracking the messages and presumably, the "live" status of the recipients.
    As such, the messages are similar to "spear phishing" in that they are customised to the hacked account. I don't think tools can help you check out the security of the link since they are such specific links - no one else (or no more than a handful of people anyway) will have visited these links before.

    • Rob Hindle0
      March 14, 2013 at 10:05 am

      It is easy to fake email headers so tracking isn't always easy or successful. In the examples I'm speaking about it was easy to identify the sending account as those of colleagues whose email accounts had been hacked. I alerted them (by phone or text message, obviously not to teir compromised email account...).

      As regards the hacked server, I believe the hacker is relying on the obscurity of a long complex chain of subdirectories (quite possibly using dozens of such on the same server so that logs don't show a spike in traffic to a particular page thay might raise suspicions).

      I guess my question might be better placed on a specialist security forum

  5. Bruce Epper
    March 12, 2013 at 6:22 pm

    If you want to check it yourself, you could use a VM that does not allow integration with the host OS to check the link. Or you could use a Linux machine or LiveCD (don't mount local drives) to go to the link to see what is there. Depending on hoiw high the flag is waving, you could use Remnux to try to capture and check out any malware the site attempts to deliver. Or you could take the easy route and contact the technical contact for the domain in question.

Ads by Google