How to Scan Your Hypernode for Malware
Shop owners that want to comply to an ISO certification, are required to periodically check their content for virusses and malware.
Scanning your web content can be done using Yara. This open source malware signature checker and file scanner is present on all Hypernodes.
Every night a scan will be performed. This scanner is in beta at this moment. When the scanner hits a possible malware file, it will notify our Abuse department at Hypernode. On the first working day after the detection, our customer will receive a e-mail from Hypernode with details.
The output of the daily scan we perform, is written to /var/log/mwscan.log
. If the scanner hits on a file, please review the file. In most of the cases, the malware has been uploaded by a unsecure downloader folder or Magmi plugin. Try to find how the file has been uploaded. Replace the file with the originating file distributed by the developer or when it is not used, remove the file.
If you find web shells, malicious files, and/or injected PHP code that are not yet recognised by mwscan
, please report them by filing an issues on the Github repositoryof this containing the files as described in the contribution documentation
Scan Your Files for Known Web Shells and Malware Manually
When you run mwscan /data/web/public
, it will recursively scan all files present in the directory.
Yara will first load all definitions found, and then start scanning:
app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public
[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries
After finishing a scan, Yara will create a report with some information. If all is well, a single line is printed:
[*] Finished scanning 11131 files: 0 malware and 0 whitelisted.
Otherwise if files in your Magento installation match one of the definitions in Yara, the file name will be printed:
app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public
[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries
public/app/etc/modules/initversion.php: md5_023a80d10d10d911989e115b477e42b5
[*] Finished scanning 9867 files: 1 malware and 0 whitelisted.
If a file is recognised by Yara, it does not necessarily mean that the file is infected. You should always check the file manually to make sure a file is infected or whether this is a false positive or indeed a malafide file.
Always check the output, even when you suspect a false positive!
Useful Examples:
Scan a Single File
mwscan /data/web/magento2/pub/x.php
Check All Files Silently and Print a Report Afterwards
mwscan -q /data/web/public
Check All Files, Not Just the Ones Containing PHP Code
mwscan --deep /data/web/public
To view all available options for mwscan
, use the command flag mwscan --help
Scan All Files Using the Most Recent (Experimental) Signatures
To make use of the newest malware signatures, use the -s byte
argument. This will use the newest, still experimental signatures.
These signatures may result in some false positives, but uses the latest malware signatures we included as well.
mwscan -s byte /data/web/public
Scan Your Files From Cron
To scan your files daily from the crontab and send the output to your email address, all you need to do is add the mwscanner to your crontab file:
10 4 * * * flock -n ~/.mwscan.lock mwscan --ruleset byte /data/web/public --quiet | ts | tee -a /data/web/mwscan.log | ifne mail -s "Possible malware found at $(hostname)" -a 'From: Malware Scanner <mwscan@example.com>;' your.email@example.com