Skip to content

Latest commit

 

History

History
49 lines (29 loc) · 2.6 KB

README.md

File metadata and controls

49 lines (29 loc) · 2.6 KB

Magento Malware Scanner

Magento is a profitable target for hackers. Since 2015, I have identified more than 20.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.

This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.

Commercial use

Early access signatures are available for contributors and commercial users such as hosting companies and payment processors. Contact me for early access.

Breach post-mortems

If you have a compromised store and are stuck, do get in touch. I am often hired to assist teams with complex breaches.

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

wget https://mwscan.s3.amazonaws.com/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento

(if no files are shown, then nothing was found!)

mwscan

Advanced scanner for sysadmins: mwscan

Features:

  1. Automatically download latest malware signatures.
  2. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  3. Faster scanning: using Yara is 4-20x times faster than grep.
  4. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  5. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives