Find Malware in Image Files

Malware

It’s a nightmare. Your production environment was compromised and you actually don’t know how and how much data was stolen. For sure there are different ways to be compromised. In this post I just want to explain, how hackers can get full access to your production environment by using image files.

As explained on Snapfast and Sucuri it is pretty easy to store any kind of PHP code in EXIF headers. Often times it only needs a simple script to create an administrator account. If you are using third-party extensions with an image upload function or if you are late with the last security update, there is a high risk to be compromised.

You can use commands like svn status or git status to find changes, but this is no guarantee to find malicious code, because oftentimes your /media/ or similar folders are not version controlled.

Here is one simple command how you can find infected image files.

In case if any file is infected, you will see the following search result.

Practical grep command examples for your Magento log file audit

Improve your bug fixing routine with some simple grep commands. Run these commands before any production deployment just to make sure your new code is working properly. To reduce the output on your terminal, extend my examples as you can see below.

Count the results with ” wc -l ” at the end.

Display the 1000 rows with ” tail -n 1000 ” at the beginning.

1. System.log

1.1 Access to an array by a key that doesn’t exist

1.2 Use a variable that wasn’t previously defined

1.3 Debug output generated by Mage::log()

1.4 Any kind of permission issues

1.5 Missing Magento template files

1.6 Access to a non-object

1.7 Missing argument in a function call

1.8 Invalid argument supplied to a loop

Find all:

2. Exception.log

2.1 Any kind if XML issues

2.2 Specific Authorize.net gateway issues

2.3 Specific PayPal gateway issues

2.4 Find general curl issues

Find all:

3. Reports

Find the last 10 error report files and grep for any kind of error message.
3.1 MySQL connection issues

3.2 Invalid config field

3.3 Unable to read response

3.4 External urls redirect

Find all:

4. Apache error logs

4.1 Find missing files caused by any reason