Is there a free tool that will recursively scan every bit of code in your site for vulnerabilities associated with inputs, URL vars, AJAX requests, and all the other possible attack vectors?
do not know of a script that scans all vectors but this is a good scanner
FW,
maldet can be run on a 'nix server. It scans for all sorts of malware. My hosts have wanted to do the install on both a VPS and dedicated server so you may want to contact your host and request that they install and configure for you. It’s an excellent malware scanner.
Regards,
DK
Cheers. I build all my sites on my own computer before putting them on the internet, so maldet program sounds like what I need.
FW,
I’ve just discovered that the maldet I thought was running (compliments of my host) wasn’t there after all! However, I found that, if you have access to your server (VPS or dedi), you can download, install, configure and await your daily reports for yourself. Just Google for maldet.
Regards,
DK
I had a look at the link above. Its a malware scanner and not a tool to test vulnerabilities in an PHP applications. Saying that I have been looking for a link like that for a very long time and haven’t found one yet!
Has anyone here found a tool like this…I would be very thankful 
Thanks
Jon
Software Developer
Hi Jon,
maldet is a malware scanner, TRUE! However, it does look into PHP files to detect malevolent code.
To test PHP vulnerabilities, you need to be very familiar with PHP coding … and check user input until you’re blue in the face!
Ah! I remember looking at Tenable’s Nessus scanner … but it costs a ton ($1500/yr) so you’re better off with my earlier suggestion which is what is highly recommended everywhere.
Regards,
DK
Hmm. Tenable looks very good and I guess the price reflects it. Looks like I am down to two options:
Maldet and employing a consultant to check the app. I am sure it will the former my company will choose.
Thanks for all the help.
Cheers!
Jon
A malware scanner isn’t what you really need. If have constructed your web site from a bunch of resources downloaded from the web (e.g a wordpress site with a bunch of plugins and themes) then it might be useful in detecting any spurious injections of malware (happens sometimes with free themes and plugins), but it won’t detect vulnerabilities in a custom built site or application.
What you’re looking for is penetration testing software / fuzzing software - this traverses the application as a client, testing inputs and responses with a range of typical exploitative techniques.
There are freely available tools, but they often require a reasonable amount of expertise in their use. This link contains a list of possibilities: http://seclists.org/pen-test/2012/Feb/14
And this site is useful in general in getting better clued up on where weaknesses are likely to be: https://www.owasp.org/index.php/Top_10_2013-Top_10
Thanks for posting the information East Coast. It is a good question as security exploits become more and more common. As you said it may take some advanced level of expertise to use but at least it is a good starting point for finding site vulnerabilities “associated with inputs, URL vars, AJAX requests, and all the other possible attack vectors.” In this age of advancing technology sometimes it is best to hire out a little help. It is now almost impossible to be an expert on all fronts.
We used “http://configserver.com/cp/cxs.html” on a few of our servers and atomic on other servers. Works great.
How to run maldet command in shel? is it like this?
$ maldet -a /home/?/public_html/
I get command not found error, what should I add before maldet?
Hmm…looks good…will try it out sahostking.
Thanks!
Jon
I think you have posted this on the wrong thread mate!
No. correctly posted. maldet was suggested above.