Cloud-Based Website Integrity Monitoring
Our scanning feature intelligently crawls and identifies infections across any platform. The scanner leverages internal definitions that are refined daily, external sources, and intelligence to identify both potentially harmful signatures and anomalies that may not be known. This scanner powers Sucuri SiteCheck, our popular free website scanner, and our internal monitoring service.
Every plan includes a number of monitoring options, each of which provides a slew of information that help to determine malicious activity.
On by default for all clients, this option leverages our scanning service to identify malware, SPAM injections, website errors, disabled sites, database connection issues and code anomalies that require special attention.
Our scanner is highly sophisticated and designed to identify a number of different infection types. The monitoring is divided into two unique methodologies. The first is based on remote scans and the second on server level scans.
Remote scans have the ability to detect the following infection types:
- Cross Site Scripting (XSS)
- Website Defacements
- Hidden & Malicious iFrames
- PHP Mailers
- Phishing Attempts
- Malicious Redirects
- Backdoors (e.g., C99, R57, Webshells)
- Social Engineering Attacks
- SEO Blackhat Spam
- Pharma Hacks
- Conditional Redirects
- Mobile Redirects
Server Side scans are included with all malware removal plans, but must be configured separately. They have the ability to detect these infection types:
- Phishing Pages
- Backdoors (e.g., C99, R57, Webshells in various langauges)
- Code Anomalies
- Obfuscated Injections
Scanning is most comprehensive when both scan-types are used in unison. Imagine it like your vision. When you use one eye, you aren’t able to see everything in front of you, but opening both eyes allows you to fill in the blind spots.
The remote scanner emulates a subset of user agents and referrers that allow the scanner to treat payloads that present themselves to the end-user’s browser. This is important because it’s how your end-users interact with your website.
The server side scanner is limited because it is not remote (luckily, the remote scanner makes up for that). This scanner is dependent on server level access and has the ability to crawl every file on your server. This makes it ideal for things that don’t present themselves on a client’s browser, things like Backdoors and Phishing files.
This option is set “on” by default for all users. We recommend that it is left active because blacklisting and reasons for blacklist status can be confusing. There are a number of blacklisting authorities that monitor for malware, SPAM, and phishing attempts. Our blacklisting option leverages the APIs for these authorities and insures you’ll that know when your site is hacked:
- Google Safe Browsing
- Phish Tank (Phishing Specifically)
- McAfee SiteAdvisor
Whois is an internet directory that provides information on who owns a domain. It is regulated and monitored by the Internet Corporation for Assigned Names and Numbers (ICANN) which is responsible for registration of all domains. This record contains information about the Registrant (the person who owns the domain), the Registrar (the entity that registered the domain), the dates, nameservers and other similar, and important, information.
If at any time the information changes you will be notified.
Domain Name System (DNS)
DNS is a protocol used by all computers to intelligently communicate with each other, it’s part of the TCP/IP protocol suite. Its specific function is to turn a website’s name (somesite.com, for example) into an internet protocol (IP) address like 123.45.567.891. The name provided by DNS is what we use as humans to read the site name, the IP is what the computers use to communicate.
This monitoring option will monitor the IP address and associated DNS information of your domain for any changes. It’s rare for it to change, but if it does we will notify you.
If you are using Secure Socket Layer (SSL), a secure protocol to transmit over HTTP securely, you are most likely using a SSL certificate. The SSL certificate is returned to a visitor of your site upon HTTPS request. This certificate often contains your site information and, in some instances, company information.
If using a SSL certificate this option allows you to ensure it doesn’t change unexpectedly, if it does a notification will be sent.
This service creates a snapshot of your site and if a change is made you will be notified. Changes that this service track include:
- New Posts
- New Pages
- Content Changes
- Social Media Changes (Tweets, Likes, etc..)
- Threaded Messages / Comments
This option is best used with static pages as it can generate a high volume of email notifications.
Search Engine Result Pages (SERP)
One of the hardest things to detect for any website scanner is the state of your website when Google Blacklists it. Those blacklists come in many forms. One such form is by making it apparent to potential website visitors when they return results of a search.
A search engine results page (SERP) is the listing of results returned by a search engine in response to a keyword query. – Wikipedia
This is an example of a clean SERP:
These SERP’s are highly sought after by attackers, it provides them an opportunity to intercept your traffic and make money off your visitors. They exploit those visits by 1) generating impressions on their websites (often Pharmaceutical related pages) and 2) redirecting users to infected websites that try to exploit the client’s desktop environments (i.e., PC, Mac’s, etc…).