For many successful attacks there are several ways to tell when something has been owned. When pages on your web server contain malware that’s infecting visitors. Or perhaps when the web servers begin making outbound Internet connections. Databases may see huge CPU spikes and network usage from data going out the door from SQL Injection issue. DB records that should NEVER be accessed (honeytokens) is another good indication. Web users will tell you right away when they’re passwords are changed, money is missing, something of of theirs has been defaced, or perhaps they have a new friend named Samy. The list goes on, but what got me thinking was the SEOwN3d hack that targeted the blog for former U.S. Vice President Al Gore’s Inconvenient Truth movie.
In this case the standard IDS stuff would not have applied. No money or value was lost, user accounts hacked, mysterious outbound connections, or malware payloads present - Only silent defacement containing an HTML link that no one was even expected to see or even click on. The SE0Wn3D hack was used to simply boost the search engine rank for another website - and not even through blog spam that we’re used to dealing with. So my original question stands, how did they find out? And for that matter if your website/blog was hacked in this way, would you notice? How would you notice? Maybe many thousands of blogs are already hacked for this purpose and we don't realize it yet. For all I know this blog has been hacked to boost Andy, ITGuy to his #1 status on Google and the only way to tell would be through viewing source.
Hmm…. Andy? :)