Tools to Scan Magento Code for Malicious Content

There are many ways to obfuscate code so such a simple solution is not a solution at all IMO. If you really want to lock down your system and prevent malicious code I would recommend:

  1. Do not allow installation of modules via Connect. Use a git repo and install first on a staging server and only update production via git after thorough testing and inspection.

  2. Never ever allow use of modules with obfuscated code, no matter who the developer is. Ask for an unobfuscated copy or just look elsewhere. I sympathize with extension developers wanting to prevent piracy, but if you are concerned about security it is a deal-breaker.

  3. If possible restrict outbound traffic via iptables. This is hard since there are so many third-party APIs to integrate with and they can change their IPs at any time, but it is the most sure way to prevent malicious code (Magento or otherwise) from reaching out.

  4. Install a tool which monitors your web root for file changes. For example, ConfigServer Firewall and OSSEC have components which do this well, after proper configuration, of course.

If you happen to know of a system that will refresh iptables entries or AWS Security Groups when DNS records update please let me know since I haven't found or built one myself yet..


Had you thought about running clamav? - https://www.clamav.net/index.html - I ran this recently on a clients Ubuntu server running magento and it came back with two infected files - speed of the scan was impressive and is easily run if you have SSH access - you could also run regularly via a Cron job.

To run clam AV on Ubuntu

To install ClamAV run the following command

apt-get update
apt-get install clamav

Manually update virus databases

freshclam

You will see ClamAV update process started To manually scan files/folders for viruses

clamscan -r --bell -i /

For those not on Ubuntu full instructions can be found here https://www.clamav.net/doc/install.html


Try the Magento Malware Scanner, which contains the largest collection of malware signatures that is publicly available. It downloads the latest signatures, handles whitelists and keeps state.

It is recommended by Magento, used by Magento Marketplace, Homeland Security, VISA and many others.