Vulnerability scanner

MageStack has a built in vulnerability scanner, which performs a number of roles

  1. Detects common PHP exploits
  2. Detects Magento 3rd party module exploits
  3. Identifies potentially compromised files
  4. Identifies abnormal files
  5. Checks if all available Magento patches have been applied

The scanner is automated and logs its results to the audit log, named magescan-YYYY-MM-DD.log.gz

Report priorities

Three difference priorities are used in the report to classify the potential risk,

  1. Critical - High risk. This issue must be immediately investigated (eg. an urgent Magento patch)
  2. Warning - Medium risk. This requires investigation, it could be a false positive or non-critical (eg. an abnormal file or low-priority Magento patch)
  3. Notice - Low risk. But should be investigated

HTML/JSON/Email report

You can generate the report in many different formats to suit your needs,

Email

You can send a copy of the report to one or many recipients via email,

php /microcloud/scripts/classes/Healthcheck.php --output email --type all --recipients "user1@example.com,user2@example.com"

HTML

The script will echo the output to stdout, so if you want to write it to a file for viewing, redirect the output. We do not recommend leaving a report publicly exposed.

php /microcloud/scripts/classes/Healthcheck.php --output html --type all > /microcloud/domains/example/domains/example.com/http/report.html

JSON

If you are aggregating data and want a parseable format, it can be exported in JSON, the script will again echo the output to stdout (so redirect to a file if desired)

php /microcloud/scripts/classes/Healthcheck.php --output json --type all

Text based/Log report

Format

The scan first tests for Magento patches (identified by the patch version/revision), followed by the other vectors (identified by an arbitrary ID)

Eg.

Test ID:     SUPEE-6788
Description: [Critical] Magento patch
  Critical example.com:/microcloud/data/domains/example/domains/example.com/http/app/code/core/Mage/Admin/etc/config.xml

A successful test will not report any warnings/files beneath the description.

Excludes/ignores

Entire document root

To exclude an entire document root from scans, create a file named .ignore.magescan in the document root,

Eg.

cd /microcloud/domains/example/domains/example.com/http
touch .ignore.magescan

Specific file

To exclude individual files/directories from scans, create a file named .exclude.magescan in the document root and enter the files/directories to be ignored, separating each with a new line with no trailing whitespace,

Eg.

cd /microcloud/domains/example/domains/example.com/http
touch  .exclude.magescan

Then inside .exclude.magescan,

/microcloud/data/domains/example/domains/example.com/http/media/safe_file.php
/microcloud/data/domains/example/domains/example.com/http/skin/ignore_me.php

! The full path as reported by the scan must be entered in the file (ie. including /microcloud/data)