Vulnerability Scanning Your Servers & Web Apps... Do you? What do you use?

general
1

Considering it is National Cyber Security Awareness Month, and if you are on this forum then you are odviously at least a little bit of a forward thinker, I wanted to start the discussion on vulnerability scanning your local network, your cloud network (if you run multiple servers in the cloud and they talk locally, you have a cloud network), and your actual web apps (websites) themselves.

So, does anyone do it? With any regularity? Automated it? Think it’s a waste of time? Pay someone else to handle it?

I personally have automated a few things (worked them into Trellis, which means I have roles, but they are rough around the edges cuz I never showed them to anyone) that I have running on all my servers.

I run LMD (Linux Malware Detect) with ClamAV as the scanner engine, the article is for RHEL but if your gonna run the scanner than you can figure out how to change yum to apt-get.

I use Lynis (Security Auditing which runs on your server and tells you how horrible you are) every once in awhile, normally when I first set up a server, then occasionally after big updates and such.

I try to run Rkhunter but the false positives drive me insane so I mostly stopped using it.

Also I use Metasploit Framework to run small scale pen testing on my local network and on my web apps, it will do port scans, SQL exploits, try uploading malware onto your server type stuff, plus a lot more.

I’m by no means a hardcore hacker or pen-tester wannabe (I know my role in the world and that isn’t currently it), but I feel like I really want to take the Offensive Security Pen Testing w/ Kali Linux Cert because they let you loose in their own custom cloud pen testing lab it a ton of vulnerable machines and networks and you just have to get down and make your way through them.

Anyone else dabble in pen-testing their websites or servers? Do you all think it’s something worth knowing about yourself or should you just get a WAF (Cloudflare, Sucuri, Wordfence) and forget about the bots and people trying to break into your stuff every second of every day because that’s what you pay those people for.

5 Likes
2

I consider myself at most low to moderately experienced on this topic, so I’m here to learn. But, I’ll share one of my favorite tools: ISPProtect. I discovered this a couple months ago, and the reports it provides helped me quickly remediate 40+ sites on one of my servers. I now have a cron set to run it once a month, and it emails me the results. They offer a free trial which covers your first scan.

To give you an idea of the reporting it provides, here’s that original report I ran with the server pathnames removed:

Starting scan level 1 ...
Scanning 302506 files now ...
Scan level 1 completed. 0 hits.
Starting scan level 2 ...
Scanning 142707 files now ...
Scan level 2 completed. 41 hits.
================================
Found 41 malware file(s)
================================
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.hidden.explode in ...
Malware {ISPP}suspect.hidden.explode in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.eval.base64 in ...
Malware {ISPP}suspect.eval.base64 in ...
Malware {ISPP}suspect.globals.eval in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.globals.eval in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.hidden.explode in ...
Malware {ISPP}suspect.globals.eval in ...
Malware {ISPP}suspect.include.image in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.globals.func in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
Malware {ISPP}suspect.post.eval in ...
================================
Starting Wordpress check. This could take a while ...
Most decent version(s): 4.6
Outdated Wordpress version: 4.4.2 (newest is 4.6) in ...
Outdated Wordpress version: 4.4.2 (newest is 4.6) in ...
Outdated Wordpress version: 4.6-alpha-37595 (newest is 4.6) in ...
Outdated Wordpress version: 4.5.3 (newest is 4.6) in ...
Outdated Wordpress version: 3.6.1 (newest is 4.6) in ...
Wordpress check found 35 current and 5 outdated versions.
================================
Starting Joomla check. This could take a while ...
Most decent version(s): 2.5.28, 3.1.3, 3.2.7, 3.6.0, 3.6.2
Joomla check found 0 current and 0 outdated versions.
================================
Starting Drupal check. This could take a while ...
Most decent version(s): 6.38, 7.50, 8.1.8
Drupal check found 0 current and 0 outdated versions.
================================
Starting Mediawiki check. This could take a while ...
Most decent version(s): 1.27.1
Mediawiki check found 0 current and 0 outdated versions.
================================
Starting Contao check. This could take a while ...
Most decent version(s): 3.5.15, 4.2.2
Contao check found 0 current and 0 outdated versions.
================================
Starting Magentocommerce check. This could take a while ...
Most decent version(s): 1.9.2.4
Magentocommerce check found 0 current and 0 outdated versions.
================================
Starting Woltlab_burning_board check. This could take a while ...
Most decent version(s): 4.0.12, 4.1.11
Woltlab Burning Board check found 0 current and 0 outdated versions.
================================
Starting Cms_made_simple check. This could take a while ...
Most decent version(s): 1.12.2
Cms Made Simple check found 0 current and 0 outdated versions.
================================
Starting Phpmyadmin check. This could take a while ...
Most decent version(s): 4.0.10.17, 4.4.15.8, 4.6.4
Phpmyadmin check found 0 current and 0 outdated versions.
================================
Starting Typo3 check. This could take a while ...
Most decent version(s): 6.2.26, 7.6.10, 8.2.1
Typo3 check found 0 current and 0 outdated versions.
================================
Starting Roundcube check. This could take a while ...
Most decent version(s): 1.2.1
Roundcube check found 0 current and 0 outdated versions.
================================
Starting Shopware check. This could take a while ...
Most decent version(s): 5.2.5
Shopware check found 0 current and 0 outdated versions.
================================
================================
Starting WP plugin vulnerability scan. This could take a while ...
================================
Starting WP plugin version scan. This could take a while ...
Outdated WP plugin "wordpress-importer" version: 0.6.1 (newest is 0.6.3) in ...
Outdated WP plugin "easy-theme-and-plugin-upgrades" version: 1.0.4 (newest is 2.0.0) in ...
Outdated WP plugin "contact-form-7" version: 4.4.1 (newest is 4.5) in ...
Outdated WP plugin "iwp-client" version: 1.5.1.1 (newest is 1.6.1.1) in ...
Outdated WP plugin "all-in-one-seo-pack" version: 2.3.2.3 (newest is 2.3.9.1) in ...
Outdated WP plugin "akismet" version: 3.1.9 (newest is 3.1.11) in ...
Outdated WP plugin "disable-comments" version: 1.4 (newest is 1.5.1) in ...
Outdated WP plugin "velvet-blues-update-urls" version: 3.2.4 (newest is 3.2.5) in ...
Outdated WP plugin "iwp-client" version: 1.5.1.1 (newest is 1.6.1.1) in ...
Outdated WP plugin "all-in-one-seo-pack" version: 2.3.8 (newest is 2.3.9.1) in ...
Outdated WP plugin "iwp-client" version: 1.6.0 (newest is 1.6.1.1) in ...
Outdated WP plugin "quick-pagepost-redirect-plugin" version: 4.2.3  (newest is 5.1.8) in ...
WP plugin version check found 476 current and 12 outdated versions.
3 Likes
3

Seems to be pretty solid. Goes over WP installs and plugins which is nice. I personally like to stick with the free and open source route because I like the community and I like a ton of eyes on the service or product I’m using, although I pay for Cloudflare because they are awesome (not really a scanner though),.

Since you did mention you are here to learn, Linux Malware Detect is free and super easy to install / set-up. Just make sure you use the ClamAV engine for scanning. Anyways it can be configured to run a scan monthly or weekly and report the results. I have found it to be really good for sniffing out malware signatures and it scans every single file on every install so if someone sneaks a malware string only targeting an obscure browser setup in one or more of your .js files (which I see a ton when I’m fixing hacked WP sites for people) and LMD always seems to catch it. The admin and normal user goes about their day without knowing anything is wrong, but the poor sap who visits your site on IE9 or Opera gets redirected to a jersey sales website or worse. It’s a easy add and catches some stuff that may fall through the cracks of other scanners.

1 Like
4

I kind of glossed over the fact that scanner was doing malware signatures in files, haha. Do they tell you how many signatures are in the scanning database? May be worth a look if they rival LMD as far as their scans.

5

When I installed it, I seem to recall it requiring ClamAV as a dependency (I think). So if that’s the case, it would make me think it would be identical to LMD with regards to its scanning sigs. That sound right?

6

Honestly I bet they use LMD as their malware scanner because it’s supposed to have the largest most up to date list of signatures.

Funny how things are so ironic, I just post that about Cloudflare WAF being great and I get an email from Wordfence saying they have proof of concept on 3 of the largest exploits on WP plugins completely bypassing Cloudflare WAF on high. Now it would take it with a grain of salt until I actually see their video, but either way I still love Cloudflare for their instant DNS, CDN, and SSL certs.

For reference: