Making sure that your website is not used for anything shady is one of the most important tasks of being a webmaster. If you are making a living from a site, it is even probably the most important thing after making sure the site is up and running. There are a couple of attack vectors that need to be mentioned. From exploiting security vulnerabilities in the scripts running on the site or programs running on the web server over exploiting improper rights on the server to distributing malicious content via advertisement or disgruntled editors that add questionable links or code to sites.
Detectify is a new online service that you can make use of to scan a website thoroughly for security issues. There are a couple of things you need to do first before you can get started though. First, you need to create an account with the service and verify the email address you have used to sign up. Then, you need to add at least one domain name you want scanned and verify that domain name before you can start the security scan. Verification options include uploading a file to the root of the service to do so.
The actual scan runs in the background and can take quite some time depending on the size of the website. I started the scan of Ghacks for instance two days ago and it is still running. You can look at the preliminary report though at any time.
The program displays the number of exploits, warnings and notices on the report page. Below that you find information about the total number of files scanned so far and the average scan time of the service.
You can view the details if exploits, warnings or notices have been found to analyze them further. Here are a couple of examples the service found on the Ghacks server:
- Found a phpinfo() file that I forgot to remove from the server
- Found two directories that were displaying directory contents to users who would open them directly
- 58 suspicious links based on keywords (turned out to be false positives)
False positives can be marked as such which informs the Detectify team about them. I was not able to download reports as csv files which may been the case because the scan was not finished at that point in time.
Detectify scans all pages, directories and files that are publicly accessible on a selected domain name to identify security issues. Scans may take a long time but since they are handled in the background and without putting to much pressure on the website, it is not really that much of an issue unless you need a security scan as soon as possible.
For larger sites, it may be useful to run Detectify once a month or so for a thorough check up. Scans should finish a lot faster on smaller sites.