Skip to content

mpingu/magento-malware-scanner

 
 

Repository files navigation

Magento Malware Scanner

Magento is a profitable target for hackers. Since 2015, I have identified more than 20.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.

This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.

March 2018: update your package/URL

Because the signatures have moved over to S3, you need to update your URL (if you use grep) or package (if you use mwscan). More info here.

Need help?

If you have a compromised store and are stuck, do get in touch, I am sure I can help you out!

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

wget https://mwscan.s3.amazonaws.com/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento

(if no files are shown, then nothing was found!)

mwscan

Advanced scanner for sysadmins: mwscan

Features:

  1. Automatically download latest malware signatures.
  2. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  3. Faster scanning: using Yara is 4-20x times faster than grep.
  4. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  5. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives

About

Scanner and signatures for Magento malware

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HTML 55.8%
  • PHP 32.2%
  • JavaScript 8.5%
  • Python 1.6%
  • NewLisp 1.1%
  • Click 0.4%
  • Other 0.4%