Permalink
a1b9786 May 28, 2018
3 contributors

Users who have contributed to this file

@gwillem @jissereitsma @mpchadwick
107 lines (68 sloc) 2.73 KB

Basic usage

wget mwscan.s3.amazonaws.com/mwscan.txt
grep -Erlf mwscan.txt /var/www

Advanced scan for sysadmins

For faster scanning and more features, you can install the scanner from this repository.

Using Debian/Ubuntu

# Install prerequisites on Debian/Ubuntu flavoured server
sudo apt install -qy python-pip gcc python-dev
sudo pip install --no-cache-dir --upgrade mwscan

Using CentOS

# If you don't have EPEL yet, for CentOS 6:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
sudo rpm -ivh epel-release-latest-6.noarch.rpm

# CentOS 6 only:
sudo easy_install --upgrade requests

# All CentOS: 
sudo yum -y install python-pip python-devel gcc
sudo pip install --no-cache-dir --upgrade mwscan 

Using Mac OSX

# Install prerequisites on a Mac OSX environemnt
brew install yara python
sudo pip install --no-cache-dir --upgrade mwscan

Run manually

If you have installed through pip, you can now run this and any hits will appear

mwscan /Users/frosit/Werk/Security/mage17

# this will for example show:
eval_post /Users/frosit/Werk/Security/mage17/media/dhl/info.php
obfuscated_eval /Users/frosit/Werk/Security/mage17/skin/backdoor1.php

Running from cron

It is recommended to run nightly from cron. This will download the latest rules every night, run a scan on your Magento store and mail you if anything was found.

cat <<'EOM' | sudo tee /etc/cron.d/mwscan

MAILTO=youremail@etc
MAGENTO=/var/www/magento
MWSCAN=/usr/bin/mwscan

10 2 * * * root $MWSCAN --quiet --newonly $MAGENTO
EOM

Advanced cron

This cron will ensure only a single concurrent scan, will log timestamped new finds to /var/log/mwscan.log and mail them to the supplied address. Requires util-linux, moreutils and mailutils on Ubuntu/Debian for flock, ifne, ts, and mail.

MAILTO=your@address
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 2 * * * root flock -n ~/.mwscan.lock mwscan --newonly --quiet /data/web | ts | tee -a /var/log/mwscan.log | ifne mail -s "Malware found at $(hostname)" -a 'From: Malware Scanner <noreply@yoursite.com>' $MAILTO

External Scan

You can run an external scan by using wget to download a page and then running the result through magento-malware-scanner.

For example, to process a page with all page requisites.

d=`date +%y%m%d%H%M%S` wget -p -q -H -P scan-$d https://www.example.com/ && grep -Erlf mwscan.txt scan-%d

Troubleshooting

pkg_resources.DistributionNotFound: requests

When you get this error, you could try to upgrade the request package:

easy_install --upgrade requests

ImportError: No module named argparse

This might happen on CentOS. Try:

easy_install argparse