December 9, 2016
To help merchants manage recent increases in malware attacks, Magento has published best practices and recommendations for protecting and remediating sites. As part of this guidance, advanced users were encouraged to use a new set of malware discovery rules provided by the author of Magereport.com. These rules are an excellent resource supported by the security community and can detect specific infected files on your site.
Magento security encourages the use of these rules which include full instructions for installation. This article provides additional information on how to setup your site to use the malware self-scanning tool.
Installation & System Prerequisites
The malware discovery toolset is hosted on GitHub and requires that Git and the yara and python packages be installed on the operating system. Use the following steps to install the prerequisites.
Install Git for your server or local machine by following the instructions located here: Git installation instructions
If you are using Debian/Ubuntu machine or server, use the following to install required packages:
sudo apt install yara python3
If you are using MacOs, you can install yara using Homebrew
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Install python and yara
brew install yara python3
Installing the Malware Scanning Tool
Once you have completed installing Git and python you will need to download the malware tool and scan your Magento site using the following commands:
Clone the malware repository from GitHub
git clone https://github.com/gwillem/magento-malware-scanner.git
Validate Malware Signatures and Samples
Scannning Magento Files and Site
The Yara scanner works only on files and directories. Many types of malware hide in the database and are only displayed when accessing the site. To scan those locations, you need to download the site homepage to the same directory that will be scanned. Make sure to NOT put those files into a publicly accessible directory and to remove them after scanning. Steps to scan these locations include:
Download your site homepage for scanning analysis
curl –o output.html http://yoursite.com
Create dump of the database – details are described here (and you can find database connection details in your Magento app/etc/local.xml file)
Scan the Magento site for Malware
yara -r rules/all-confirmed.yar
yara -r rules/all-confirmed.yar site-index-and-sql-dump-folder/
Viewing Malware Results
If malware is discovered by the malware tool you will see similar output in your command window:
yara -r rules/all-confirmed.yar /Users/scanner/code/m1vg/ 2> /dev/null
Reviewing Malware Results Checklist
If the scan confirms your site has been impacted by malware, Magento recommends that you check your site for other issues using Magereport.com, a free service that provides insight into your security status. Work with your Solution Partner or developer to clean your site and follow our recommended site remediation steps.
Deploy any missing security patches and address other issues discovered by the Magereport.com scan. Enterprise Edition patches are available in My Account and Community Edition patches are posted on the Community Edition download page under the Release Archive tab.
Protect yourself against password guessing, which is increasingly being used to attack sites that have all security patches in place.
Implement Magento Security Best Practices to further protect your site.
Sign up to receive Magento security notifications to stay up-to-date on security recommendations and issues.