Magento External Malware Scans

Published: August 5, 2017

magento-malware-scanner is an extremely valuable tool to help keep your Magento installation secure. Scanning a codebase for malware is dead simple…

$ wget git.io/mwscan.txt
$ grep -Erlf mwscan.txt /path/to/magento

However, it’s equally if not more important to run an external scan of your Magento installation. Here I’ll cover why and how.

Why Do I Need To Run An External Scan?

The reason you need to run an external scan is because simply scanning your codebase misses cases where the malware is injected into the database. This class of attack is extremely common because the attacker can install malware simply by accessing the admin panel and updating “miscellaneous html” or a CMS block and does not need access to the file system on the server.

How Do I Do It?

Fortunately, it’s not particularly difficult to run an external scan. You can use wget to download the contents of a page and then send the returned HTML to magento-malware-scanner.

$ wget -O result https://www.example.com && grep -Elf mwscan.txt result

What If The Malware Is Not Inlined?

wget -O will catch cases where the malware is inlined into the HTML document, however if will miss if the malware is referenced via a <script> tag. To solve this we can use the -p flag to download the “page requisites”. This will scripts referenced via a <script> tag.

$ wget -p https://www.example.com && grep -Erlf mwscan.txt www.example.com

What If The Malware Is Hosted Elsewhere?

Good point, the -p flag by default will only download the assets from the same host. We need to combine it with the -H flag (span hosts) to download from other hosts

It’s easiest to additionally use the -P flag (directory prefix) to put everything into a single folder

$ wget -p -H -P scan https://www.example.com && grep -Erlf mwscan.txt scan

At this point we will be scanning both all inlined and <script> referenced Javascripts.

Leveling Up Your External Scans

Scanning https://www.example.com is great, but what if the malware is in a static block that is only inserted into the page on the checkout page? In that case, we won’t catch it.

To help deal with this problem, I built Mpchadwick_MwscanUtils (Magento 1) and Mpchadwick_MwscanUtils2 (Magento 2). Currently the tool allows the following…

  1. Send a request to https://www.example.com/mwscanutils/contentdump. This endpoint will simply ALL the content from EVERY CMS page and block as well as the contents of the miscellaneous scripts and miscellaneous HTML fields.
  2. The ability to fetch the html for the checkout page via wget. Typically the request would be redirected due to the session not containing any quote items, however if you pass the mwscanutils_force param the page will still be loaded (https://www.example.com/checkout/onepage/index/mwscanutils_force/1) (Currently only in Magento 1 version).

Some Final Pro Tips

A couple final pro-tips with external scans…

  1. Regularly run both an internal and external scan against your Magento installation. Ideally you should be doing this on a cron. You can also use wget’s -q flag to prevent it from making any noise.
  2. Run your external scans on dedicated server that is not the server that is hosting the Magento installation. If the attacker gains access to the Magento system they could simply disable the cronjob preventing you from ever getting any alerts.

Happy scanning!

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Rightpoint where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.