Tools To Scan For Security Vulnerabilities and Malware

Web security is something we should all be doing nowadays, because there are literally hundreds of different potential ways that any site can become compromised. You should regularly scan security vulnerabilities to stay safe from these sorts of potential problems – cross site scripting,  vulnerable components, DOM-based vulnerabilities, SQL injections, cross site request forgery and crlf/xxe/http injections

Let’s face it, we don’t always scan security vulnerabilities as much as we should. It’s an easy task to overlook because so much needs to go into designing, testing, and marketing a website. We’re often more focused on success than safety, but that really is a false economy. It’s like building a fabulous house but forgetting to put a lock on the front door. Security underpins everything else you do with your property, so you can’t afford to let it slip. If you don’t scan security vulnerabilities, then the chances are good that someone, somewhere will find a way in and cause havoc. If you feel put off from thinking about security because it seems complicated, don’t worry. There are plenty of tools out there that will scan website security vulnerabilities for you. Some of them even offer free trials so you can road test them to see if they’re going to work for you:

SUCURI

SUCURI is free and its used widely to scan website for malware. It’s great at tracking down malware and scanning for security issues, and it will report on malware blacklisting status, show you points where SPAM has been injected, and point out instances where someone has made unwelcome changes to your site. If you’re using popular platforms such as WordPress, Joomla, Magento, Drupal, phpBB, then it’s going to work just fine for you.

Quttera

Quttera can scan website for malware and possible exploits. It combs your website for potentially malicious and suspicious files, using PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.

Qualys

SSL Server Test by Qualys looks for SSL/TLS that has been configured wrongly and also for inherent weaknesses on your site. It can check your https:// URL including the date expires, its overall rating, cipher, SSL/TLS version, do a handshake simulation, look for protocol details, BEAST and other things too.

It’s important to run the Qualys test every time you make a change to SSL/TLS. It can scan security vulnerabilities or scan website for malware, so you’ll be assured that any changes you’ve made are safe.

Intruder

Intruder is based in the cloud and it looks for weaknesses in the whole web app set-up. It’s engineered to deliver a level of security protection that makes it suitable for governments, banks and similar enterprises that call for high-end safety, and its scanning engine is simple to use as well.

Its comprehensive security features allow it to identify:

  • absent patches
  • incorrect configurations
  • web application issues including SQL injection and cross-site scripting
  • CMS problems

Intruder can scan website security vulnerabilities and put results in order of priority according to their context to save you time. It can also proactively scan your systems for the most recently identified weaknesses. It can integrate with major cloud providers (AWS, GCP, Azure) as well as Slack and Jira.

Detectify

Ethical hackers lend their expertise to ensure Detectify keeps your website and web apps secure with automatic security and monitoring of assets. It can identify upwards of 1500 potential threats.

It can scan for vulnerable points with OWASP Top 10, CORS, Amazon S3 Bucket, and misconfigured DNS. It has Asset Monitoring and it keeps a non-stop eye on your subdomains, searching for takeovers and alerting you if anything anomalous is picked up.

Detectify’s pricing plans come in three flavors, called Starter, Professional, and Enterprise and they all come with a two-week free trial, no credit card needed.

UpGuard

UpGuard Web Scan can assess risk using information that’s publicly available. It can organize test results into these groupings:

  • website threats
  • email threats
  • network security
  • malware and phishing
  • brand defense

It’s great at quickly giving you insights about where your website is at the moment, security-wise.

Pentest-Tools

This scanner is just one of many tools on offer from Pentest-Tools. It can gather information, test web apps, CMS, infrastructure, and SSL. Its main purpose is to find the most frequently-occurring web app vulnerabilities and problems with server configuration.

There’s a basic version that does passive web security scanning, and it’s adept at finding things like unsafe cookie settings, unsafe HTTP headers, and out-of-date server software. It will grant you two full scans for free, and that will be enough to give you a very good overview of any problems with things like local file inclusion, SQL injection, OS command injection, and XSS, for example.

Observatory

Mozilla has launched Observatory, which can scan website for malware and has other security features. It validates the security of OWASP headers, checks TLS best practices and carries out third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, and others.

Conclusion

All of these powerful tools can give you a great deal of insight into the kind of vulnerabilities that might affect your website, and enough of them have free offers that you’ll be able to decide which of them will serve you best.

How to manually remove website malware

Remove website malware

We all face daily cybersecurity challenges. No matter how hard you try, you’ll never reduce the chances of being hacked to zero. But server security solutions are here to help prevent and detect unauthorized access. Do you need help learning how to remove website malware?

There are always comfortable automated ways to manage these threats, like one of our most appreciated extensions for this purpose, ImunifyAV.

Alternatively, let us help you get one step ahead of the hackers with our guide to manually removing website malware.

File with malware

Main malware strains

Main malware strains

Hackers can get into your systems in various ways. One popular way is via injections attacks. Injections happen when an attacker inserts a file, in-memory cache or database entry into a system component.

Code injection

  • You can insert code into existing PHP or Perl programs to create backdoors or automated uploaders.
  • You can modify the contents of the .htaccess file to redirect visitors to other sites for the purpose of phishing or SEO hijacking.
  • You can alter JavaScript (.js) and HTML files to insert unwanted advertising scripts or content (so-called malvertising).
  • An attacker can modify and use Exif information (meta-data to add info to image files eg. JPG) to carry malicious payloads to other parts of the file system or other sites.

Hackers will often take full advantage of their position, and plant malicious code in multiple places.

Cache injection

A cache is a small, high-performance store of memory. If you don’t secure the server that maintains the caches, then memory can be overwritten in situ. If the affected portion of memory is a cached version of a web page, then a hacker can inject code or malicious content without changing website functionality.

Hacker scripts

Hacker scripts can take many forms, and serve many purposes. Scripts for back doors, uploaders, spammers, and phishing links can create web doorways, or site entry points to manipulate search engine indexes. Hackers can also create defacement scripts simply to cause damage, or prop up their own ego.

Replacing system components

Every hacker wants root access to your server, so they can replace any web server component with their own malicious version. Attackers can control entire sites, and add or modify their behavior as they need. They can also remotely control the script to issue redirects or new portions of malicious code. If an attacker hides this component carefully, then it’s difficult to detect. Because the website appears to be working normally.

How to manually remove malware and repair your website

Manually removing malware

Now let’s assume you’re scanning your site with your favorite cybersecurity software, like Imunify360 or ImunifyAV. Use the following manual inspection techniques to make sure it’s doing a good job and start to manually remove malware.

IMPORTANT: Before continuing, ensure you have a full and working backup of your entire system.

File scanning

Traditionally, Linux-type systems have limited facilities for detailed file scanning and inspection. So let’s use what we have, in the form of find and grep. First, by searching the file system for all modified files within the past 7 days, where the file name extension begins with ph (to cover .php and .phtml):

find . -name '*.ph*' -mtime -7

However, what if a hacker considers this first? And resets file modification dates. Then check to see if file attributes have changed. Here’s how to do that for .phtml and .php files.

find . -name '*.ph*' -ctime -7

We can narrow down the period we’re looking at, by using the newermt option of find. Eg. To look for a file changed between the 25th and 30th of January 2019:

find . -name '*.ph*' -newermt 2019-01-25 ! -newermt 2019-01-30 -ls

Now we can introduce the grep command. This can recursively scan for and report patterns in files. Eg. To look for a portion of a URL in any file in the current directory, or any within it:

grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' *

Permissions checks

If you suspect a breach in your web server or file system, check file permissions. You can do this with the following command:

sudo find / -perm -4000 -o -perm -2000

Check for active processes

If a file system scan shows nothing unusual, take a look at what’s running on the system. See what PHP scripts are running using:

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php

Analyzing malicious code: what to look for

You now know some of the basic techniques to search for files and file content. To go deeper when you manually remove site malware, you need to know what to look for. Here’s a helpful checklist.

Check rarely visited directories

System administrators rarely look in directories like upload, cache, tmp, backup, log, and images, making them ideal locations for hackers to hide malicious files.

Note: On PHP-based CMSes such as Joomla, check directories for .php files in the wrong places. If you’re on a WordPress site, check the wp-content/uploads, and the backup and theme cache directories.

Here’s an example of a command that checks for PHP files in an images folder:

find ./images -name '*.ph*'

Treat any similar files in such places suspiciously.

Files with strange names

Even though file names come in a wide variety, certain names should raise a red flag. Here are some examples:

  • php (no extension)
  • fyi.php
  • n2fd2.php

Note any unusual patterns or combinations in file names, letters, symbols and numbers. File names that are naturally unreadable are:

  • srrfwz.php
  • ath.php
  • kirill.php
  • b374k.php.php (double extension)
  • tryag.php

Hackers also exploit the habit of some programs that append numbers to copies of existing files. So lookout for files like:

  • index9.php
  • wp3-login.php

Look for unusual file name extensions

You don’t normally associate certain file name extensions with CMSes like WordPress. So if you see any of these, take note:

  • .py (Python code extension)
  • .rb (Ruby code extension)
  • .pl (Perl code extension)
  • .cgi (CGI code extension)
  • .so (Shared object extension)
  • .c (C source code extension)

Moreover, you also wouldn’t expect to find files with extensions like .phtml or .php3. If you discover any of the above on a PHP-based CMS website, then you should inspect it closely.

Look for non-standard attributes and creation dates on files

Another sign of suspicious files involves the file owner attribute. So you need to watch out for the following:

If you see a number of .php files sent to a server via ftp or sftp were transferred with the owner attribute set to myuser. But in the same directory you see files where the owner attribute is www-data.

You must also check script creation dates. If the date is earlier than website creation, then you need to be suspicious.

Look for large numbers of files

Directories containing hundreds or thousands of files are good places for a hacker to hide malicious scripts and payloads. Such large numbers of files indicate a doorway, or a form of blackhat SEO.

You can detect such directories with the find command. We recommend you start in a specific directory to limit your search and avoid loading a system. The following example helps you find the top 25 directories with the largest number of files.

find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -25

(You can read more about file (inode) searching at StackExchange.)

Checking your server logs

Check server logs

You can also check any system through an inspection of the server log files. Here you can learn many things. For example:

  • You can tell how the spam email was sent (when and where it was sent from, the access_log file, and what script invoked the mail command).
  • You can check FTP logging. Tools such as xferlog tell you what was uploaded or changed, and who did it.
  • You can discover the location of any mail-sending PHP scripts with the correct configuration of your mail and PHP servers.
  • You can check to see whether your CMS has additional logs to help you track down the source of an attack. This might help you determine whether an attack was external or came in via a CMS plugin.

Both access_log and error_log files are good sources of information. If you know which scripts are the attack vectors, you may be able to find the source IP address, or the HTTP user agent value. You may also be able to see if a POST request was made at the same time of the attack.

Checking the integrity of files

You deal with attacks more easily if you have adequate preparations in place, like recording the state of files in their pristine state. You can then compare them to the same files after an attack. You can do this in various ways:

Use source code control systems such as git, SVN or CVS. In the case of git, you can simply utilize these commands:

git status 

git diff

Using source code control ensures you have a backup copy of server files. You can restore these easily in the event of a cyber attack.

Tools that can alert you when anything on a file system changes include:

In some cases, version control isn’t possible. For example, when using shared hosting. One workaround is to use CMS extensions or plugins to monitor file changes. Some CMSes even have their own built-in file integrity.

You can keep track of what files you have at any one time with the command to catalog all the files on a system:

ls -lahR > original_file.txt

You can compare this file later with a fresher copy using comparison tools like WinDiff, AraxisMerge Tool, BeyondCompare, the Linux diff command, or even compare snapshots online. This lets you see what files have been added or removed.

This whole process certainly looks pretty complex. You can always choose to fully automatize it – using for this purpose ImunifyAV.

Comfortable Alternative to a Day’s Work – ImunifyAV

ImunifyAV

For added confidence, it’s good to know how to manually check your system for problems. And it’s a good way to learn some system administration techniques, like how to manually remove malware. Having a comprehensive server security solution such as ImunifyAV, a free antivirus and anti-malware scanner, is the first step towards a safe and secure website. You can easily upgrade to ImunifyAV+ and get a built-in, one-click, fully automated cleanup feature.