Pattern Categories

Pattern Categories

The malware scanner uses 15+ pattern categories to detect different types of threats. Here's what each category catches.

Critical Severity

Backdoor — Detects webshells, eval chains, and hidden backdoors. These are the most common type of malware found in compromised PrestaShop stores. Patterns match known webshell signatures, eval(base64_decode(...)) chains, and similar constructs.

Shell Execution — Detects direct operating system command execution via system(), exec(), passthru(), shell_exec(), and backtick operators. Legitimate PrestaShop code rarely needs these functions.

Code Injection — Detects dynamic code execution patterns: eval() with user input, include/require with user-controlled paths, preg_replace with the /e modifier, and create_function() with dynamic arguments.

File Manipulation — Detects malicious file write operations: writing PHP files with executable code, creating new files in web-accessible directories, and modifying existing files to inject backdoors.

Credit Card Skimmer — Detects payment data interception code, Magecart-style JavaScript injections, fake payment form overlays, data exfiltration to external servers, and regex patterns targeting credit card number formats.

Remote File Dropper — Detects code that downloads files from remote servers and saves them locally. Attackers use this technique to deploy additional malware after gaining initial access.

Hidden Backdoor — Detects password-protected backdoors that only activate when a secret parameter is provided. These are harder to spot because they appear dormant in most requests.

Credential Stealer — Detects code that intercepts, logs, or exfiltrates credentials: admin passwords, database credentials, API keys, and customer payment information.

Warning Severity

Obfuscation — Detects heavily obfuscated code patterns: nested base64 encoding, hex-encoded strings, variable-variable chains ($$var), and string concatenation tricks used to hide malicious intent.

Suspicious Functions — Detects dangerous PHP configuration changes: ini_set disabling security settings, set_time_limit(0), error_reporting(0), and runtime configuration changes that weaken security.

Crypto Miner — Detects cryptocurrency mining scripts: JavaScript-based miners (Coinhive, CryptoLoot), WebAssembly mining payloads, and mining pool connection strings.

Data Exfiltration — Detects unauthorized data transmission: curl calls to external URLs with POST data, file_get_contents to remote servers with customer data, and email-based data exfiltration.

Stealth Operations — Detects hidden file operations: files created with dot-prefix names, operations that suppress error output, timestamp manipulation (touch()), and hidden logging.

Config Probing — Detects configuration reconnaissance: reading config files, accessing database credentials, enumerating installed modules, and gathering server information.

Info Severity

Info Disclosure — Detects debug code that should not be in production: phpinfo(), var_dump(), print_r(), and debug_backtrace(). These rarely indicate malware but expose sensitive information.