/magento-malware-scanner

A collection of rules and samples to detect Magento malware

Primary LanguageHTMLGNU General Public License v3.0GPL-3.0

6 April, 2017: Magento Marketplace uses this scanner for new extensions

27 March, 2017: this scanner is now used by the Mage Security Council

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento

mwscan

Advanced scanner for sysadmins: mwscan

Features:

  1. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  2. Faster scanning: using Yara is 4-20x times faster than grep.
  3. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  4. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Objective

For the free MageReport we already analyse lots of malware samples. Now, many system administrators are doing the same work. That's incredibly inefficient. Goal:

Once a particular strain of malware has been found and analyzed, nobody should have to duplicate these efforts.

This repository is a community effort of security conscious people. Contributions most welcome!

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives