As this scanner only checks for common problems it is always best to conduct other checks manually if you pass but still feel as though your site has been hacked. This is a remote website scanner so any attacks that are server-side, such as backdoors and phishing, will not show up in this check. To further identify the attack and the extent of the damage, you can check diagnostic pages, recently modified files, and core file integrity.
By checking diagnostic pages, such as your Google Transparency Report (this includes site safety details, such as whether your site contains malicious redirects and spam, and testing details, which is when the latest Google scan detected malware), you can discover if your site is being blacklisted by web authorities. To check your transparency report:
- Visit the Transparency Report site
- Input your URL and click Search
- Read the data provided
To check recently modified files from the Linux command line:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
Any unfamiliar modifications in the last 7-20 days may be suspicious.
Checking core file integrity is important as most core files should never be modified in the sites lifetime. To do this, you can type the ‘diff’ command into your terminal, or you can manually check via SFTP.