Sansec logo

Malware or vulnerability found, what next?


by Sansec Support

Published in Guides

eComscan reported one or more issues with your store. What should you do next? This depends on the type of the issue: a vulnerability or malware. In general, the person responsible for the deployment or QA of your store should handle these. Typically, this is your development agency or your internal development team.


Check the report for specific instructions for dealing with this vulnerability. In general, you should either upgrade or remove the vulnerable component. With 3rd party components, such as database managers, it is recommended to remove them altogether from your production environment. When the vulnerability is in a core component of your shop, there is almost always a security patch available from your vendor. For Magento, make sure to install all the relevant patches as published here.


  • You may have applied all security patches, but vulnerabilities are still reported. Ensure that no duplicate code exists on your site. For example, sometimes a copy of the code base lives under "/dev" or "/test".

  • Magento has a "compilation feature" that caches code under "src". When applying security patches, you should clear the cache, or the vulnerability may remain active in the cache.


When malware is found, you should start an incident response procedure, as it showed that attackers had partial or full control over your store. This incident response template for Magento provides a framework. In general, you should at least follow these steps:

  1. Preserve evidence, by creating a backup and recording timestamps of relevant files (issue a stat <filename> to find both change and modification times)
    • Also create a backup of current web server log files, as some providers purge them after a few days.
  2. Identify all malicious code and means of unauthorized access
  3. Identify the root cause (see root cause analysis for Magento)
  4. Disable all entry points at the same time. Notably, change all passwords (see this script for Magento) and invalidate all admin sessions. Furthermore, we strongly recommend to restrict access to your admin backend to a limited set of IPs (office, VPN).
  5. If possible, restore from a known secure backup.
Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01