Mage Malware Scanner Instructions

Quickstart & Run Anywhere

wget https://magesec.org/download/grep-standard.txt
grep -Erlf grep-standard.txt /path/to/magento

Install on Debian/Ubuntu

# Install prerequisites on Debian/Ubuntu flavoured server
sudo apt install -qy python-pip gcc python-dev
sudo pip install --upgrade mwscan

Install on Centos

# If you don't have EPEL yet, for CentOS 6:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
sudo rpm -ivh epel-release-latest-6.noarch.rpm
# Install prerequisites on Centos flavoured server
sudo yum -y install python-pip python-devel python-requests gcc
sudo pip install argparse
sudo pip install --upgrade mwscan 

Install on OSX

# Install prerequisites on a Mac OSX environemnt
brew install yara python
sudo pip install --upgrade mwscan

Run Manually

Once installed using the instructions above, you can now run and any hits will appear:

mwscan --ruleset magesec /path/to/magento

Example results:

eval_post /path/to/magento/media/dhl/info.php
obfuscated_eval /path/to/magento/skin/backdoor1.php

Run Automatically Using Cron

It is recommended to follow the installation instructions above and then run nightly from cron. This will update the latest rules every night, run a scan on your Magento store and mail you if anything was found:

cat <<'EOM' | sudo tee /etc/cron.d/mwscan

MAILTO=you@yourdomain.com
MAGENTO=/path/to/magento

10 2 * * * root /usr/bin/mwscan --ruleset magesec --quiet --newonly $MAGENTO
EOM

Run Automatically Using Advanced Cron

This cron will ensure only a single concurrent scan, will log timestamped new finds to /var/log/mwscan.log and mail them to the supplied address. Requires util-linux, moreutils and mailutils on Ubuntu/Debian for flock, ifne, ts, and mail:

cat <<'EOM' | sudo tee /etc/cron.d/mwscan

MAILTO=you@yourdomain.com
MAGENTO=/var/www/magento

MWSCAN=/usr/bin/mwscan
MWSCANLOCK=~/.mwscan.lock
MWSCANLOG=/var/log/mwscan.log
MWSCANFROM="From: Malware Scanner <noreply@yoursite.com>"
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 2 * * * root flock -n $MWSCANLOCK $MWSCAN --ruleset magesec --newonly --quiet $MAGENTO | ts | tee -a $MWSCANLOG | ifne mail -s "Malware found at $(hostname)" -a $MWSCANFROM $MAILTO
EOM

Troubleshooting

When you receive the error pkg_resources.DistributionNotFound: requests try to upgrade the request package as follows:

yum -y reinstall python-requests

Download full scanner source

git clone https://github.com/gwillem/magento-malware-scanner.git
or download directly from
https://github.com/gwillem/magento-malware-scanner

IPS in Apache/Nginx

The malware fingerprints are also published as mod_security rules to be used as an Intrusion Prevention System in Apache and Nginx:

wget https://magesec.org/download/modsecurity.conf

Follow us on twitter @mage_sec for the latest Magento security news. Contribute to the magesec.org website on github magesec/magesec.