Making sure that your website is not used for anything shady is one of the most important tasks of being a webmaster. If you are making a living from a site, it is even probably the most important thing after making sure the site is up and running. There are a couple of attack vectors that need to be mentioned. From exploiting security vulnerabilities in the scripts running on the site or programs running on the web server over exploiting improper rights on the server to distributing malicious content via advertisement or disgruntled editors that add questionable links or code to sites.
Detectify is a new online service that you can make use of to scan a website thoroughly for security issues. There are a couple of things you need to do first before you can get started though. First, you need to create an account with the service and verify the email address you have used to sign up. Then, you need to add at least one domain name you want scanned and verify that domain name before you can start the security scan. Verification options include uploading a file to the root of the service to do so.
The actual scan runs in the background and can take quite some time depending on the size of the website. I started the scan of Ghacks for instance two days ago and it is still running. You can look at the preliminary report though at any time.
The program displays the number of exploits, warnings and notices on the report page. Below that you find information about the total number of files scanned so far and the average scan time of the service.
You can view the details if exploits, warnings or notices have been found to analyze them further. Here are a couple of examples the service found on the Ghacks server:
- Found a phpinfo() file that I forgot to remove from the server
- Found two directories that were displaying directory contents to users who would open them directly
- 58 suspicious links based on keywords (turned out to be false positives)
False positives can be marked as such which informs the Detectify team about them. I was not able to download reports as csv files which may been the case because the scan was not finished at that point in time.
Verdict
Detectify scans all pages, directories and files that are publicly accessible on a selected domain name to identify security issues. Scans may take a long time but since they are handled in the background and without putting to much pressure on the website, it is not really that much of an issue unless you need a security scan as soon as possible.
For larger sites, it may be useful to run Detectify once a month or so for a thorough check up. Scans should finish a lot faster on smaller sites.
Check out Unmask Parasite if you only want to check out a single page on a site or our list of WordPress security plugins to protect and scan WordPress.
other choices like
https://www.qualys.com/forms/freescan/?lsid=7038
http://www.websafe.ie/Register/
http://hackertarget.com/
...
and some software
http://resources.infosecinstitute.com/vulnerability-scanners/
Great, thanks for those links.
Interesting information, thanks!
Nice find, hope to have an account open soon.. Thanks for the links.
thanks martin, ive setup a website of my own few days back. scanning right now for problems probably with my wordpress.
thanks
HORRIBLE HORRIBLE HORRIBLE
I tried this once; if you have already done so, get ready for an avalanche of emails and phone calls to sell sell sell - this is what happened to me. Maybe their practices have changed however; it was awhile back.
Did not receive an email yet other than the confirmation mail and did not enter a phone number.
The emails didn't start immediately - maybe 30 days or so - can't quite remember. And I guess things have changed since I tried it out because a phone number was a required field - good thing I used a throw-away number :)
Good to hear that things have changed.
Hi, I'm one of the head application engineers at Detectify and I'm not quite sure what you mean by "an avalanche of emails and phone calls" ? The phone isn't a required field and it has never been, and so far we've actually never called anyone.
As for the emails, there might have been some issues with the mailing lists, and if so we apologize. We've not heard of anyone else having these issues so far though. Are you sure it was Detectify and not some similar service?
I'll give it a shot, thanks.
Thanks also for the Unmask Parasites link.