Magento External Malware Scans

Published: August 5, 2017

Tags:

magento-malware-scanner is an extremely valuable tool to help keep your Magento installation secure. Scanning a codebase for malware is dead simple…

wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento

However, it’s equally if not more important to run an external scan of your Magento installation. Here I’ll cover why and how.

Why Do I Need To Run An External Scan?

The reason you need to run an external scan is because simply scanning your codebase misses cases where the malware is injected into the database. This class of attack is extremely common because the attacker can install malware simply by accessing the admin panel and updating “miscellaneous html” or a CMS block and does not need access to the file system on the server.

How Do I Do It?

Fortunately, it’s not particularly difficult to run an external scan. You can use wget to download the contents of a page and then send the returned HTML to magento-malware-scanner.

wget -O result https://www.example.com && grep -Elf mwscan.txt result

What If The Malware Is Not Inlined?

wget -O will catch cases where the malware is inlined into the HTML document, however if will miss if the malware is referenced via a <script> tag. To solve this we can use the -p flag to download the “page requisites”. This will scripts referenced via a <script> tag.

wget -p https://www.example.com && grep -Erlf mwscan.txt www.example.com

What If The Malware Is Hosted Elsewhere?

Good point, the -p flag by default will only download the assets from the same host. We need to combine it with the -H flag (span hosts) to download from other hosts

It’s easiest to additionally use the -P flag (directory prefix) to put everything into a single folder

wget -p -H -P scan https://www.example.com && grep -Erlf mwscan.txt scan

At this point we will be scanning both all inlined and <script> referenced Javascripts.

Leveling Up Your External Scans

Scanning https://www.example.com is great, but what if the malware is in a static block that is only inserted into the page on the checkout page? In that case, we won’t catch it.

To help deal with this problem, I built Mpchadwick_MwscanUtils. Currently the tool allows the following…

  1. Send a request to https://www.example.com/mwscanutils/contentdump. This endpoint will simply ALL the content from EVERY CMS page and block as well as the contents of the miscellaneous scripts and miscellaneous HTML fields.
  2. The ability to fetch the html for the checkout page via wget. Typically the request would be redirected due to the session not containing any quote items, however if you pass the mwscanutils_force param the page will still be loaded (https://www.example.com/checkout/onepage/index/mwscanutils_force/1).

The module was built for Magento 1 as the lion share of live Magento installations are still running Magento 1, but it wouldn’t be difficult to port over to Magento 2.

The tools is 100% free and open source and is available on GitHub.

Some Final Pro Tips

A couple final pro-tips with external scans…

  1. Regularly run both an internal and external scan against your Magento installation. Ideally you should be doing this on a cron. You can also use wget’s -q flag to prevent it from making any noise.
  2. Run your external scans on dedicated server that is not the server that is hosting the Magento installation. If the attacker gains access to the Magento system they could simply disable the cronjob preventing you from ever getting any alerts.

Happy scanning!

Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

I built a tool called Domain Clamp which monitors and alerts about expiring domains and SSL certificates.

If you'd like to get in touch with me the best way is on Twitter.