Malware or vulnerability found, what next?

eComscan reported one or more issues with your store. What should you do next? This depends on the type of the issue: a vulnerability or malware. In general, the person responsible for the deployment or QA of your store should handle these. Typically, this is your development agency or your internal development team.

Vulnerability

Check the report for specific instructions for dealing with this vulnerability. In general, you should either upgrade or remove the vulnerable component. With 3rd party components, such as database managers, it is recommended to remove them altogether from your production environment. When the vulnerability is in a core component of your shop, there is almost always a security patch available from your vendor. For Magento, make sure to install all the relevant patches as published here.

Notes:

• You may have applied all security patches, but vulnerabilities are still reported. Ensure that no duplicate code exists on your site. For example, sometimes a copy of the code base lives under "/dev" or "/test".

• Magento has a "compilation feature" that caches code under "src". When applying security patches, you should clear the cache, or the vulnerability may remain active in the cache.

Malware

When malware is found, you should start an incident response procedure, as it showed that attackers had partial or full control over your store. This incident response template for Magento provides a framework. In general, you should at least follow these steps:

1. Preserve evidence, by creating a backup and recording timestamps of relevant files (issue a stat <filename> to find both change and modification times)
   • Also create a backup of current web server log files, as some providers purge them after a few days.
2. Identify all malicious code and means of unauthorized access
3. Identify the root cause (see root cause analysis for Magento)
4. Disable all entry points at the same time. Notably, change all passwords (see this script for Magento) and invalidate all admin sessions. Furthermore, we strongly recommend to restrict access to your admin backend to a limited set of IPs (office, VPN).
5. If possible, restore from a known secure backup.