Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

scanning a website for malware


  • Please log in to reply
15 replies to this topic

#1 punk4

punk4

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 05 May 2015 - 07:26 AM

hey, I suspect a website of having malware installed on it. I'd like to have the entire website scanned for malware if possible. If not, then everything from the last 3 years would be good. If not, then at least I'd like to scan some of the bigger pages on the website in question. and preferably all the small links on those bigger pages. So was wondering how I should go about doing this. What are the best tools for doing this? Should I scan every page individually, manually (sounds like it'd take a longass time if I were to scan every single page/link)? Also, what are the best sources for knowing if a website has been infested w/ malware in the past? The website in question is a vbulletin forum. McAfee supposedly goes off at it, indicating it's been malware'd. But I've heard mcafee is unreliable. But I've my suspicions even outside of the mcafe issue. So yeah. Any help you can offer is appreciated.



BC AdBot (Login to Remove)

 


m

#2 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:08 PM

Posted 05 May 2015 - 08:55 AM

Hi Punk4-

 

Click the link below, then click the "URL" tab, enter the website address and you will be given detailed results from many different security vendors as to the saftey level of the site in question.  Good luck. :)

 

https://www.virustotal.com/


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:08 PM

Posted 05 May 2015 - 09:59 AM

On top of VirusTotal, here's two more websites that allows you to scan URLs.

WebInspector
TrendMicro Safety Center

Good luck :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 05 May 2015 - 01:17 PM


There are number of web sites where you can check suspicious sites or get second opinions using various URL Link Scanners:-- Use several different vendors when performing queries to confirm the results of page content. Even doing this, you still need to be cautions of other links on the page itself which can redirect to a malicious page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 05 May 2015 - 02:11 PM

Web of trust can also be helpful here, it doesn't scan a page but does present a list of the comments of users who have been there. Sometimes a page has no comments, and sometimes comments might not be reliable, but it's another useful way to get an indication of whether pages have been noticed doing anything nasty. They have a browser extension but personally I just use their website and type in URLs when I am suspicius about something. Box for typing in URLs is at the top right of the page linked to below.

https://www.mywot.com/en/aboutus

Edited by rp88, 05 May 2015 - 02:12 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 05 May 2015 - 03:35 PM

Many site rating vendors (i.e. McAfee SiteAdvisor, WOT) use a system of volunteer testers that continually patrol the Internet to browse sites, download files, and enter information on sign-up forms. All the results are documented and supplemented with feedback from users, Web site owners, and analysis from their own employees. The advising site vendor then summarizes the results sometimes into a color-coded red, yellow and green ratings scale to help inform Web users as to the safety of each tested site. While these tools are useful, they are not foolproof and sometimes may provide misleading ratings. Just because you visit a risky site does not automatically mean the site is bad or that your system has been infected by going there. Thus, the use of such rating sites does not always guarantee an accurate rating of the results they provide.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JohnnyJammer

JohnnyJammer

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:08 PM

Posted 05 May 2015 - 08:29 PM

I generally use https://sitecheck.sucuri.net/ and force it to rescan if it contains cached data.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:08 PM

Posted 05 May 2015 - 08:33 PM

I generally use https://sitecheck.sucuri.net/ and force it to rescan if it contains cached data.


It looks like this website doesn't like websites protected by CloudFlare, it cannot scan them properly.

https://sitecheck.sucuri.net/results/realforums.org

I also got the same results on 3-4 other websites protected by CF that I won't disclose here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 05 May 2015 - 08:36 PM

 

Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 06 May 2015 - 02:08 PM

To scan a complete website yourself remotely, you need to access all it's resources. So you need to download all the files and scan them with your AV products.

This might be against the terms of use of this website (to download the complete website).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 punk4

punk4
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 07 May 2015 - 11:48 AM

if I want to completely avoid any chance of getting malware while viewing a site I suspect is infected, what do I do? will viewing it thru ixquick proxy work? google, yahoo, bing, etc caches? what about web archives like archive.is/today, freezepage & wayback machine?

 

these website malware scanners are unable to scan things which are only available if you're registered & logged in (like PM inbox structure, etc), right? if so, should I do as Didier Stevens said & download the entire website & have it scanned? I'm not the website owner in question so do I need to convince the owner to lemme DL all of it for scanning to do it legally? or maybe convince the owner to perform the scan...

 

lets just imagine that the vbulletin forum in question had one of its staff accounts hacked into but the account wasn't the admin account. would a hacker be able to stealthily infect the website with all sorts of malware in such a scenario? what are the chances it'd go unnoticed for months or years on end, esp if the owner/admin of the forum worked in IT? would it go unnoticed by website malware scanners, assuming the hacker wasn't dumb about it?


Edited by punk4, 07 May 2015 - 11:52 AM.


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:08 PM

Posted 07 May 2015 - 11:50 AM

It seems like you're worried about one website in particuliar. Is it possible for you to tell us which website you are talking about and why exactly do you suspect it to be infected? Also, if the website is infected and the owner doesn't know it, I don't think it's your job to find it out, since you don't have access to the server.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 07 May 2015 - 12:06 PM

Regarding post #11 proxies can't protect you from malware, unless specially designed to do so (as in special designed proxies that only let through non-executable content). Most proxies are not designed as such, but are instead designed to let everything through to ensure the site runs normally for proxy users.

If you must visit something potentially infected then having noscript installed in your browser will make exploits against you almost impossible, when doing risky things it would be best to combine the protection of noscript with an operating system which is particularly reilient to malware, some sort of live linux system which can't save changes might be the best method.

Telling the owner of your suspicions would be a good idea. Do you know of ways to contact him/her without going through his/her potentially infected website? Do you have an email address for him/her? Beyond alerting the site's owner to what you suspect there isn't much you can do, even if you find a way to scan the whole site it will do no good because you won't be in a position to fix anything, all you will be able to do with the scan results is tell the owner about them.

Edited by rp88, 07 May 2015 - 12:06 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 punk4

punk4
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 30 June 2015 - 10:57 AM

alright time to get back to this. I'll reveal that the website in question is a tumblr profile, made by  a rather twisted person. Now the question is, if Im already malwared, should I just delete my FB account, change my passwords on various websites, etc? Im a bit worried about phising. I might reveal the identity of the tumblr if that would help a lot.... also, if the phising was successful, could the person have got ahold of my FB login details, & thus know my real name, location, etc?


Edited by punk4, 30 June 2015 - 11:00 AM.


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:08 PM

Posted 30 June 2015 - 11:19 AM

And you expect an online scanner to tell you if that Tumblr page is malicious (phishing, scripts, etc.)? And if you are already infected, you should change all your passwords on another device, then get assistance here to get cleaned up.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users