From 8b4318862a3a5dac66af18a89ba5ccc87ec14d34 Mon Sep 17 00:00:00 2001 From: Demian Delwig Date: Tue, 22 Jul 2025 09:17:07 +0200 Subject: [PATCH 1/3] Remove mwscan docs --- .../how-to-scan-your-hypernode-for-malware.md | 98 ------------------- 1 file changed, 98 deletions(-) delete mode 100644 docs/best-practices/security/how-to-scan-your-hypernode-for-malware.md diff --git a/docs/best-practices/security/how-to-scan-your-hypernode-for-malware.md b/docs/best-practices/security/how-to-scan-your-hypernode-for-malware.md deleted file mode 100644 index 508b65d6..00000000 --- a/docs/best-practices/security/how-to-scan-your-hypernode-for-malware.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -myst: - html_meta: - description: Scanning your web content can be done using Yara. This open source - malware signature checker and file scanner is present on all Hypernodes. - title: How to scan your Hypernode for malware? | Security -redirect_from: - - /en/best-practices/security/how-to-scan-your-hypernode-for-malware/ ---- - - - -# How to Scan Your Hypernode for Malware - -Shop owners that want to comply to an ISO certification, are required to periodically check their content for virusses and malware. - -Scanning your web content can be done using [Yara](https://yara.readthedocs.io). -This open source malware signature checker and file scanner is present on all Hypernodes. - -Every night a scan will be performed. This scanner is in beta at this moment. -When the scanner hits a possible malware file, it will notify our Abuse department at Hypernode. -On the first working day after the detection, our customer will receive a e-mail from Hypernode with details. - -The output of the daily scan we perform, is written to `/var/log/mwscan.log`. If the scanner hits on a file, please review the file. In most of the cases, the malware has been uploaded by a unsecure downloader folder or Magmi plugin. Try to find how the file has been uploaded. Replace the file with the originating file distributed by the developer or when it is not used, remove the file. - -If you find web shells, malicious files, and/or injected PHP code that are not yet recognised by `mwscan`, please report them by filing an issues on [the Github repository](https://github.com/gwillem/magento-malware-scanner) of this containing the files as described in the [contribution documentation](https://github.com/gwillem/magento-malware-scanner/blob/master/CONTRIBUTING.md) - -## Scan Your Files for Known Web Shells and Malware Manually - -When you run `mwscan /data/web/public`, it will recursively scan all files present in the directory. -Yara will first load all definitions found, and then start scanning: - -```console -app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public -[*] Using Files rules. -[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar -[*] Loaded 96 yara rules and 40 whitelist entries -``` - -After finishing a scan, Yara will create a report with some information. If all is well, a single line is printed: - -```text -[*] Finished scanning 11131 files: 0 malware and 0 whitelisted. -``` - -Otherwise if files in your Magento installation match one of the definitions in Yara, the file name will be printed: - -```console -app@abcdef-example-magweb-cmbl:~$ mwscan /data/web/public -[*] Using Files rules. -[*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar -[*] Loaded 96 yara rules and 40 whitelist entries -public/app/etc/modules/initversion.php: md5_023a80d10d10d911989e115b477e42b5 -[*] Finished scanning 9867 files: 1 malware and 0 whitelisted. -``` - -If a file is recognised by Yara, it does not necessarily mean that the file is infected. You should always check the file manually to make sure a file is infected or whether this is a false positive or indeed a malafide file. - -**Always check the output, even when you suspect a false positive!** - -## Useful Examples: - -### Scan a Single File - -```bash -mwscan /data/web/magento2/pub/x.php -``` - -### Check All Files Silently and Print a Report Afterwards - -```bash -mwscan -q /data/web/public -``` - -### Check All Files, Not Just the Ones Containing PHP Code - -```bash -mwscan --deep /data/web/public -``` - -To view all available options for `mwscan`, use the command flag `mwscan --help` - -### Scan All Files Using the Most Recent (Experimental) Signatures - -To make use of the newest malware signatures, use the `-s byte` argument. This will use the newest, still experimental signatures. -These signatures may result in some false positives, but uses the latest malware signatures we included as well. - -```bash -mwscan -s byte /data/web/public -``` - -## Scan Your Files From Cron - -To scan your files daily from the crontab and send the output to your email address, all you need to do is add the mwscanner to your crontab file: - -```text -10 4 * * * flock -n ~/.mwscan.lock mwscan --ruleset byte /data/web/public --quiet | ts | tee -a /data/web/mwscan.log | ifne mail -s "Possible malware found at $(hostname)" -a 'From: Malware Scanner ;' your.email@example.com -``` From 4c28a611526c78100329175efc683adc5d20ffdc Mon Sep 17 00:00:00 2001 From: Demian Delwig Date: Tue, 22 Jul 2025 09:40:58 +0200 Subject: [PATCH 2/3] Remove mwscan reference --- .../security/how-to-recover-a-hacked-magento-shop.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/best-practices/security/how-to-recover-a-hacked-magento-shop.md b/docs/best-practices/security/how-to-recover-a-hacked-magento-shop.md index 733fbca5..54138cb2 100644 --- a/docs/best-practices/security/how-to-recover-a-hacked-magento-shop.md +++ b/docs/best-practices/security/how-to-recover-a-hacked-magento-shop.md @@ -22,8 +22,6 @@ In many cases, Magereport.com would tell you if your shop has been hacked! Mager You may also get alerted some other way, perhaps via a central agency such as the NCSC, or your local equivalent. -On Hypernode we also provide a [Malware scanner](../../best-practices/security/how-to-scan-your-hypernode-for-malware.md), based on [Yara](http://yara.readthedocs.io/) with an [extra set of signatures to detect magento directed malware](https://github.com/gwillem/magento-malware-scanner). Every night an audit on new or changed files will be performed and when the scanner hits a possible infected file, it will notify Hypernode's abuse department. We will check if it is a false-positive and if not; we'll send you a warning message by email. - ## What to do When your Shop is Hacked This is a good priority list to start cleaning up your shop: From f43646bed227cc6bc8aa827cbe20020cee8c19d7 Mon Sep 17 00:00:00 2001 From: Demian Delwig Date: Tue, 22 Jul 2025 09:55:16 +0200 Subject: [PATCH 3/3] Remove-mscan --- documentation_urls.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation_urls.txt b/documentation_urls.txt index 3c66d9c6..29b9d1ee 100644 --- a/documentation_urls.txt +++ b/documentation_urls.txt @@ -51,7 +51,6 @@ article: https://support.hypernode.com/en/best-practices/security/how-to-install article: https://support.hypernode.com/en/best-practices/security/how-to-install-magento-patch-supee-8788-and-release-1-9-3/ article: https://support.hypernode.com/en/best-practices/security/how-to-protect-magento-against-brute-force-attacks/ article: https://support.hypernode.com/en/best-practices/security/how-to-recover-a-hacked-magento-shop/ -article: https://support.hypernode.com/en/best-practices/security/how-to-scan-your-hypernode-for-malware/ article: https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak/ article: https://support.hypernode.com/en/best-practices/security/how-to-use-a-cloud-firewall-on-hypernode/ article: https://support.hypernode.com/en/best-practices/security/what-you-need-to-know-about-the-visbot-malware/