Magento is a profitable target for hackers. Since 2015, I have identified more than 20.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.
This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.
Because the signatures have moved over to S3, you need to update your URL (if you use grep) or package (if you use mwscan). More info here.
If you have a compromised store and are stuck, do get in touch, I am sure I can help you out!
On a standard Linux or Mac OSX server, run two commands to find infected files:
wget mwscan.s3.amazonaws.com/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento(if no files are shown, then nothing was found!)
Features:
- Automatically download latest malware signatures.
- Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
- Faster scanning: using Yara is 4-20x times faster than grep.
- Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
- Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).
See advanced usage.
Travis-CI verifies:
- that all samples are detected
- all signatures match at least one sample
- Magento releases do not trigger false positives