According to the Federal Office for Information Security (BSI), over 6,000 online stores running on the Magento platform have been hacked from 2015-17. Even today, hacking a Magento-based website is easy if unpatched or unsecured.
Therefore, Magento scanning is the most important task for store owners.
Reasons why Magento gets hacked
- Execute code
- SQL injection
- Directory Traversal
- Bypass Something
- File Inclusion
Considering the fact that 85% of all the compromised e-commerce is on Magento, the importance of scanning becomes critical. You can protect your Magento store via Internal Scanning and External Scanning.
Internal Scanning
Internal scanning is codebase malware scanning. You can use several free tools to scan your Magento website.
Magento Internal Scanning Tools
Magento Malware Scanner
Magento Malware Scanner is a tool that helps you keep Magento installation secure.
You can easily scan a codebase for malware easily.
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento
External Scanning
External scanning is equally important for your Magento. It is necessary to scan your database malware.
This is a common attack as the hacker can install malware by simply accessing the admin panel and updating CMS block or “miscellaneous htm”.
How to Perform External Scanning?
- Download contents of the page via wget
- Send the returned HTML to Magento malware scanner
wget -O result https://www.yourwebsitename.com && grep -Elf mwscan.txt result
Possibilities
#1 Malware not inlined
wget -O will miss the malware if it is referred via a <script> tag. You can use the -p flag to download the “page requisites”. This will catch all the scripts referred via a <script> tag.
wget -p https://www.yourwebsitename.com && grep -Erlf mwscan.txt www.yourwebsitename.com
#2 Malware Hosted Elsewhere
If the host is different, -p flag won’t download the assets. For downloading, you need to combine it with the -H flag.
Use the -P flag to put everything into one folder.
wget -p -H -P scan https://www.yourwebsitename.com && grep -Erlf mwscan.txt scan
#3 Malware in CMS
Issue: The Magento malware is in a static block and comes into action when on the checkout page.
Solution: Mpchadwick MwscanUtils. This is an open source and free tool that allows:
#4 Content Dump Endpoint
Send a request to https://www.yourwebsitename.com/mwscanutils/contentdump. It will delete:
- Content from all CMS pages
- Content from all CMS blocks
- Miscellaneous Scripts
- Miscellaneous HTML
#5 Fetch HTML via wget
You can fetch the HTML for the checkout through wget. The request gets redirected to a session not having any quote items.
But if you pass the mwscanutils_force param the page will still be loaded: https://www.yourwebsitename.com/checkout/onepage/index/mwscanutils_force/1
Magereport
You can scan your Magento website with the help of Magereport.
Magereport is a free service that scans your Magento shop giving you quick insights on the security status and how to fix vulnerabilities.
It checks all the known vulnerabilities in Magento and also 3rd party extensions.
Bonus tips
- While performing external scans, you can use wget’s -q installation to prevent it from making any noise.
- Run external scans on a dedicated server (not the ones hosting the Magento installation).
Don’t wait till your Magento Store gets hacked.
Get a 30-min FREE consultation with our Magento Expert.
1 thought on “How to Perform External And Internal Magento Scanning?”
Very useful post. Thanks