I have created some tool to inspect a website for running scripts. Here is description. M-Walker A tool to automatic monitor your site for running scripts. Issue description More than 640,000 Web sites and about 5.8 million pages are infected with malware. Most of these sites are not intentionally distributing malware and have been compromised without knowledge of their webmasters. Read more... Affecting website owners When somebody try to open you site the message "This site may harm your computer" appears. This message can come from Google search results, antivirus program or web browser. That means that search engine has detected malicious code at you website and your site is bloked from visitors. You lose page rank and your site visitors may lose trust in you and never return to your site. Affecting website visitors Malicious software is often installed without your visitor knowledge or permission when he or she visit these sites, and can include programs that delete data on computer, steal personal information such as passwords and credit card numbers, or alter search results. How Hackers get In? Very abstract we can classify these possibilitis in three levels: # Webserver level - when whole webserver is hacked. # User account level - when hacker can get one of another kind of read/write access to source of scripts used by a website through other scripts that also be used at this site. # Local user level - when local PC of webmaster is infected with a virus that can steal passwords or interact with FTP session. Some common lines about how this can occur: # Hackers look for weaknesses they can exploit in a blog or website, usually a CMS. # When hacker have got access to one of sites located on a shared webhosting - he can also get access to other sites located on same server. # Once a webserver is hacked - the complete user database can be sold to third party. What is a malicious code? This is one or another code inside a web page that can load an another code from remote server and this another code will install software at visitor PC using operation system or web browser bugs. We can abstract classify these bugs as next: # Known bugs, that can be fixed with updates from operating system manufacturer that are already exists, but PC is not yet updated. # Known bugs, that are not yet fixed and there are no updates for. # Unknown or new bugs, that can be used while operating system manufacturer do not know that thay are exist. Most commonly malicious code contain something with iframe, script src or base64, but there are to much other ways for a advanced people to compleet the goal and load something from another site. Because of this we do not think that this is a really good idea to look for some regular code in your page to ensure that your site is not infected. But we can capture which connections were made as a result of any executed code. What does M-Walker for website owners? We can visit your site with real web browser, capture all active connections that where made during this visit, check ip addresses of these connections in malware database and send you a report about it. This way you stay informed with what visitors browsers or web crawlers are see at you site and you can delete malicious code to prevent your website from blacklisting and your visitors computers from possible infection. Read more....
How works M-Walker. M-Walker is a scheduled task that run Internet Explorer 8 en CPorts at same time. With IE any source code of a web-page is readed and with CPorts any connection that was made is logged. Than, a set of scripts and some other utilities check any IP address that was logged at malwareurl.com, make email with a result of this check and send it. So, we do not need to decrypt a difficult and often good masked code because IE did it already. Finally, system reverts to an pre-check state to stay without infections. In such a way we can get a extended overview of a website and inform you if some script try to make something you don't know. You can try it at http://www.magic-net.nl/m-walker.php