Mage Malware Scanner Instructions

Quickstart & Run Anywhere

grep -Erlf grep-standard.txt /path/to/magento

Install on Debian/Ubuntu

# Install prerequisites on Debian/Ubuntu flavoured server
sudo apt install -qy python-pip gcc python-dev
sudo pip install --upgrade mwscan

Install on Centos

# If you don't have EPEL yet, for CentOS 6:
sudo rpm -ivh epel-release-latest-6.noarch.rpm
# Install prerequisites on Centos flavoured server
sudo yum -y install python-pip python-devel python-requests gcc
sudo pip install argparse
sudo pip install --upgrade mwscan 

Install on OSX

# Install prerequisites on a Mac OSX environemnt
brew install yara python
sudo pip install --upgrade mwscan

Run Manually

Once installed using the instructions above, you can now run and any hits will appear:

mwscan --ruleset magesec /path/to/magento

Example results:

eval_post /path/to/magento/media/dhl/info.php
obfuscated_eval /path/to/magento/skin/backdoor1.php

Run Automatically Using Cron

It is recommended to follow the installation instructions above and then run nightly from cron. This will update the latest rules every night, run a scan on your Magento store and mail you if anything was found:

cat <<'EOM' | sudo tee /etc/cron.d/mwscan

10 2 * * * root /usr/bin/mwscan --ruleset magesec --quiet --newonly $MAGENTO

Run Automatically Using Advanced Cron

This cron will ensure only a single concurrent scan, will log timestamped new finds to /var/log/mwscan.log and mail them to the supplied address. Requires util-linux, moreutils and mailutils on Ubuntu/Debian for flock, ifne, ts, and mail:

cat <<'EOM' | sudo tee /etc/cron.d/mwscan

MWSCANFROM="From: Malware Scanner <>"

0 2 * * * root flock -n $MWSCANLOCK $MWSCAN --ruleset magesec --newonly --quiet $MAGENTO | ts | tee -a $MWSCANLOG | ifne mail -s "Malware found at $(hostname)" -a $MWSCANFROM $MAILTO


When you receive the error pkg_resources.DistributionNotFound: requests try to upgrade the request package as follows:

yum -y reinstall python-requests

Download full scanner source

git clone
or download directly from

IPS in Apache/Nginx

The malware fingerprints are also published as mod_security rules to be used as an Intrusion Prevention System in Apache and Nginx:


Follow us on twitter @mage_sec for the latest Magento security news. Contribute to the website on github magesec/magesec.