New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Detect Malware with New Discovery Rules

December 9, 2016

by: Magento Security Team,
John Steer

To help merchants manage recent increases in malware attacks, Magento has published best practices and recommendations for protecting and remediating sites. As part of this guidance, advanced users were encouraged to use a new set of malware discovery rules provided by the author of Magereport.com. These rules are an excellent resource supported by the security community and can detect specific infected files on your site.

Magento security encourages the use of these rules which include full instructions for installation. This article provides additional information on how to setup your site to use the malware self-scanning tool.

Installation & System Prerequisites

The malware discovery toolset is hosted on GitHub and requires that Git and the yara and python packages be installed on the operating system. Use the following steps to install the prerequisites.

  • Install Git for your server or local machine by following the instructions located here: Git installation instructions

  • If you are using Debian/Ubuntu machine or server, use the following to install required packages:
    sudo apt install yara python3

  • If you are using MacOs, you can install yara using Homebrew

    • Install Xcode
      xcode-select –install

    • Install Homebrew
      ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

    • Install python and yara
      brew install yara python3

     

Installing the Malware Scanning Tool

Once you have completed installing Git and python you will need to download the malware tool and scan your Magento site using the following commands:

  • Clone the malware repository from GitHub
    git clone https://github.com/gwillem/magento-malware-scanner.git

  • Validate Malware Signatures and Samples
    python tools/runtests.py

Scannning Magento Files and Site

The Yara scanner works only on files and directories. Many types of malware hide in the database and are only displayed when accessing the site. To scan those locations, you need to download the site homepage to the same directory that will be scanned. Make sure to NOT put those files into a publicly accessible directory and to remove them after scanning. Steps to scan these locations include:

  • Download your site homepage for scanning analysis
    curl –o output.html http://yoursite.com

  • Create dump of the database – details are described here (and you can find database connection details in your Magento app/etc/local.xml file)

  • Scan the Magento site for Malware
    cd magento-malware-collection
    yara -r rules/all-confirmed.yar yara -r rules/all-confirmed.yar site-index-and-sql-dump-folder/

Viewing Malware Results

If malware is discovered by the malware tool you will see similar output in your command window:

scanner@m1:~/magento-malware-collection$
yara -r rules/all-confirmed.yar /Users/scanner/code/m1vg/ 2> /dev/null
visbot /Users/scanner/code/m1vg/app/design/frontend/base/default/template/checkout/onepage.phtml
jquery_code_su /Users/scanner/code/m1vg/app/design/frontend/base/default/template/checkout/onepage.phtml
scanner@m1:~/magento-malware-collection$

Reviewing Malware Results Checklist

  • If the scan confirms your site has been impacted by malware, Magento recommends that you check your site for other issues using Magereport.com, a free service that provides insight into your security status. Work with your Solution Partner or developer to clean your site and follow our recommended site remediation steps.

  • Deploy any missing security patches and address other issues discovered by the Magereport.com scan. Enterprise Edition patches are available in My Account and Community Edition patches are posted on the Community Edition download page under the Release Archive tab.

  • Protect yourself against password guessing, which is increasingly being used to attack sites that have all security patches in place.

  • Implement Magento Security Best Practices to further protect your site.

  • Sign up to receive Magento security notifications to stay up-to-date on security recommendations and issues.