How to Find a Hacker's IP Addressby Elizabeth DearbornUpdated September 28, 2017
If someone hacks your website, the result can be anything from a minor annoyance, such as comment spam, to hate speech or obscene graphics that can get you into serious legal trouble. As soon as you see evidence of hacking, change the password you use when you upload content, either by Web-based access or FTP. Make certain only people you trust, who actually need administrative access, know the password. It's also possible to identify a hacker's numerical address and keep him out of your website.
Seeing When Files Were Accessed
Let's say you have a Web page called "about.php" and you notice that someone hacked into and defaced it between noon and 3 p.m. Eastern time. None of your other pages are affected. If it's available to you under your website hosting plan, download your server log file. The log file is probably quite large, and you might need to unzip it. A server log is a plain text file consisting of lines like this:
000.000.000.000 - - [13/Oct/2009:13:51:31 -0600] "GET /about.php HTTP/1.1" 200 3286 "-" "google.com"
Each line in the server log breaks down as follows: The string of numbers separated by dots is the IP address of a visitor to your webpage, followed by the date and time of the visit at the server location, which might (and might not) be the time at your location or your hacker's computer. The example Web server is in the Central Time zone. "GET" is the method used to send the page and "/about.php" is the page the visitor requested. "200" is HTTP/1.1 status code meaning OK, "3286" is the number of bytes sent, and "google.com" is the referrer. This last field will be blank if the visitor didn't get to your site from a link.
The time window for this example is 11:00 a.m. to 2:00 p.m., or 1100 to 1400 hours Central Time. Look through the file for all visits to the about.php page in that time frame. If no log entries match up, someone with administrative access changed the page. If the log file entry as in Step 1 is the only one listing a visit to your about.php page in the target time frame, you know the hacker's IP address and can proceed to Step 3. If you see more than one IP address listed, make note of what else the user did while on your website. This could include abnormal numbers of page-refresh requests, abusive or obscene comments, repeated log-in attempts to password-protected pages and the like.
You've identified the hacker by IP address. Lock the machine out of your entire website permanently by adding these lines at the beginning of your .htaccess file, exactly as shown here:
order allow,deny allow from all
Now that the hacker is locked out, restore your Web page to the condition it was in before your website was hacked.
If you have a budget hosting plan, you may not have access to server log files or .htaccess. Your host's customer service department can help you arrange for these. Tell your Web host about any attempts to hack your site, even if unsuccessful, as other websites on the server may have also been hacked into and may require restoration from backups.
If you need more information about the person behind the hacking attempt, the IP address geolocation service can provide city, country, zip code, connection speed and ISP, or Internet service provider. If the abuse continues, notify the hacker's ISP.
- Creating a Web Site: The Missing Manual, Second Edition, Matthew MacDonald, 2008
- 6 Simple Principles of Secure Website Design