Updated Feb 26, 2024

Created Apr 19, 2022

How to Scan Your Hypernode for Malware

Shop owners that want to comply to an ISO certification, are required to periodically check their content for virusses and malware.

Scanning your web content can be done using Yara. This open source malware signature checker and file scanner is present on all Hypernodes.

Every night a scan will be performed. This scanner is in beta at this moment. When the scanner hits a possible malware file, it will notify our Abuse department at Hypernode. On the first working day after the detection, our customer will receive a e-mail from Hypernode with details.

The output of the daily scan we perform, is written to /var/log/mwscan.log. If the scanner hits on a file, please review the file. In most of the cases, the malware has been uploaded by a unsecure downloader folder or Magmi plugin. Try to find how the file has been uploaded. Replace the file with the originating file distributed by the developer or when it is not used, remove the file.

If you find web shells, malafide files and injected PHP code that are not yet recognised by mwscan, please report them by filing an issues on the Github repositoryof this containing the files as described in the contribution documentation

Scan Your Files for Known Web Shells and Malware Manually

When you run mwscan /data/web/public, it will recursively scan all files present in the directory. Yara will first load all definitions found, and then start scanning:

app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public
[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries

After finishing a scan, Yara will create a report with some information. If all is well, a single line is printed:

[*] Finished scanning 11131 files: 0 malware and 0 whitelisted.

Otherwise if files in your Magento installation match one of the definitions in Yara, the file name will be printed:

app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public
[*] Using Files rules.
[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar
[*] Loaded 96 yara rules and 40 whitelist entries
public/app/etc/modules/initversion.php: md5_023a80d10d10d911989e115b477e42b5
[*] Finished scanning 9867 files: 1 malware and 0 whitelisted.

If a file is recognised by Yara, it does not necessarily mean that the file is infected. You should always check the file manually to make sure a file is infected or whether this is a false positive or indeed a malafide file.

Always check the output, even when you suspect a false positive!

Useful Examples:

Scan a Single File

mwscan /data/web/magento2/pub/x.php

Check All Files Silently and Print a Report Afterwards

mwscan -q /data/web/public

Check All Files, Not Just the Ones Containing PHP Code

mwscan --deep /data/web/public

To view all available options for mwscan, use the command flag mwscan --help

Scan All Files Using the Most Recent (Experimental) Signatures

To make use of the newest malware signatures, use the -s byte argument. This will use the newest, still experimental signatures. These signatures may result in some false positives, but uses the latest malware signatures we included as well.

mwscan -s byte /data/web/public

Scan Your Files From Cron

To scan your files daily from the crontab and send the output to your email address, all you need to do is add the mwscanner to your crontab file:

10 4 * * * flock -n ~/.mwscan.lock mwscan --ruleset byte /data/web/public --quiet | ts | tee -a /data/web/mwscan.log | ifne mail -s "Possible malware found at $(hostname)" -a 'From: Malware Scanner <mwscan@example.com>;' your.email@example.com