Scanner, signatures and the largest collection of Magento malware
Latest commit 9350deb Oct 17, 2018

README.md

Magento Malware Scanner

Magento is a profitable target for hackers. Since 2015, I have identified more than 40.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.

This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.

Breach post-mortems

If you have a compromised store and are stuck, do get in touch.

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

wget https://mwscan.s3.amazonaws.com/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento

(if no files are shown, then nothing was found!)

mwscan

Advanced scanner for sysadmins: mwscan

Features:

  1. Automatically download latest malware signatures.
  2. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  3. Faster scanning: using Yara is 4-20x times faster than grep.
  4. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  5. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives