Zum Inhalt springen
Proactive security updates
Sicherheit

Malware Scanning and Cleanup for Online Shops

Detect and remove skimmers, injected scripts and backdoors: file integrity monitoring, structured cleanup and post-incident hardening for online shops.

14 min read MalwareSkimmerDatei-IntegritätBereinigungShop-Sicherheit

An online shop can look completely normal on the surface -- and quietly steal every customer's card details in the background. That is exactly what modern skimmers do: small, disguised JavaScript snippets that read the payment fields at checkout and send them to a foreign domain. The number of skimmer infections rose by 103 percent within six months (RiskIQ, 2025), and one well-known skimmer tracker counts over 2 million compromised web pages worldwide (RiskIQ, 2025). The insidious part: without targeted malware scanning, an infection stays undetected for an average of 241 days (RiskIQ, 2025). This article shows how professional scanning, file integrity monitoring and structured cleanup find skimmers, injected scripts and backdoors -- and how proactive security updates prevent it from getting that far in the first place.

Malware Scan Dashboard -- File Integrity and ThreatsScan coverage14,812 files checked100%14,806 cleanIntegrity confirmed!6 findingsQuarantine activeFile Integrity Diff (expected/actual)Compared against signed reference hashes~ public/media/logo.php Hash mismatch!+ var/cache/_t8x.php New, unsigned!~ index.php Inline script injected= core/framework/* Unchanged= vendor/* Unchanged3 deviations, 14,806 files identical to referenceDetected ThreatsSKIMMERCard skimmer in checkoutreads payment field, sends to foreign domainBACKDOORWeb shellvar/cache/_t8x.php command executionINJECTIONSEO spam redirectinline JS redirects mobile trafficAll findings isolated -- cleanup recommendedScan pipelineHash compareSignature and heuristicsQuarantineAlert and reportDaily full scan plus real-time integrity check of the payment pageCompromised shops usually contain at least one additional hidden backdoorFile integrity | Skimmer detection | Backdoor hunting | Quarantine | Post-incident hardening

Key takeaways

  • An infected shop has no single virus, but a mix of manipulated files, injected database entries and external script inclusions -- pure signature scanners miss this.
  • File integrity monitoring is signature-independent: it flags any deviation from the signed reference, including disguised backdoors, without knowing their content.
  • The payment page needs a continuous, client-side integrity check -- that is exactly where skimmers strike.
  • Merely deleting the malicious code leads to re-infection: only clean install, credential rotation and patching the exploited vulnerability are solid.
  • Only a fixed scan routine cuts detection time from months to minutes and takes away the most dangerous weapon from skimmers: time.

Why Classic Antivirus Logic Fails for Shops

An infected online shop behaves differently from an infected PC. There is no single virus to delete, but a mix of manipulated files, injected database entries and external script inclusions. Vulnerability exploitation was the most common initial access vector for security incidents last year, rising by 34 percent (Verizon DBIR, 2025). At the same time, 119 new vulnerabilities in IT systems became known every day -- a rise of about 24 percent over the previous year (BSI security report, 2025). Relying only on signatures from a single malware database completely misses the typical shop attacks.

Professional malware scanning for shops therefore combines several methods: file integrity monitoring (do the file hashes still match the signed reference?), signature and heuristic scans (known malicious patterns and suspicious constructs like eval(base64_decode(...))), database scans (injected JavaScript in content and metadata) and client-side integrity checks of the page delivered to the browser. Only the combination covers the full range -- from the skimmer in the checkout to the silent backdoor in the cache directory.

The Invisible Majority

In a large share of compromised shops, it is not only the visible malicious code that is present, but additionally at least one hidden backdoor. Anyone who removes only the visible malicious code and misses the backdoor is often re-infected within hours.

File Integrity Monitoring as an Early Warning System

The most effective tool against stealthy manipulation is file integrity monitoring (FIM). The principle is simple: when a clean installation is set up, a cryptographic hash is generated for each file and stored in a signed reference. Every later scan compares the current state against this reference. Modified core files, newly added PHP scripts in the upload or cache directory and deleted files stand out immediately -- regardless of whether the malicious code is known or not.

This signature-independent approach is decisive precisely because attackers constantly vary their code to evade signature scanners. A web shell that appears under var/cache/_t8x.php simply has no business being there -- the integrity comparison flags it as an unsigned new file without any knowledge of its content. For Shopware installations, the reference can be built from the official package hashes and the checked-out code state. We deploy integrity monitoring as a standard building block in every Shopware maintenance engagement.

file-integrity-check.sh
# Generate reference hashes after a clean deploy
find . -type f \( -name '*.php' -o -name '*.js' -o -name '*.twig' \) \
  -not -path './var/*' -print0 \
  | sort -z | xargs -0 sha256sum > /secure/baseline.sha256

# Daily comparison against the reference (shows deviations only)
sha256sum -c /secure/baseline.sha256 2>/dev/null | grep -v ': OK$'

# Find suspicious PHP files in writable directories
find public/media var/cache -name '*.php' -mtime -7 -ls

For the especially sensitive payment page, a daily scan is no longer enough. Since 31 March 2025, the payment card standard mandates a mechanism to detect unauthorized changes to scripts and HTTP headers of the payment page that alerts at least weekly (PCI Security Standards Council, 2025). In practice this means a continuous, client-side integrity check exactly where skimmers strike.

Skimmers, Backdoors, Injections: The Three Main Categories

Payment Skimmers

Disguised JavaScript reads card number and CVV at checkout and sends them to a foreign domain. Detected via client-side integrity checks and outbound analysis.

Backdoors and Web Shells

Hidden PHP files enable renewed access after cleanup. Detected via file integrity, heuristics and cron job audits.

Script Injections

Injected code in core files or the database for SEO spam, redirects or mining. Detected via hash comparison and database scans.

SEO Spam and Redirects

Invisible links or redirects that steer search engine crawlers to foreign pages. Often only noticed at a ranking collapse.

Rogue Admin Accounts

Attackers create hidden administrator accounts to keep access even after a password change. Detected via user audits.

Supply Chain Manipulation

Compromised plugins or CDN scripts inject malicious code through the official channel. Detected via Subresource Integrity and hash checks.

These categories rarely appear in isolation. A typical compromise begins with the exploitation of an unpatched vulnerability, followed by the placement of several backdoors for persistence, the injection of a skimmer for monetization and SEO spam as secondary use. Most basic web application attacks also involved stolen credentials -- in 88 percent of cases (Verizon DBIR, 2025). That is why detection consistently includes a user audit and log monitoring of unusual login patterns.

The Structured Scan Process

A reliable scan follows a fixed pipeline so that no area is overlooked. The order matters: first the complete, non-invasive scan to take stock, then assessment and quarantine, not premature deletion. Premature deletion destroys evidence and makes root-cause analysis impossible.

  1. Inventory: complete file hash comparison against the signed reference, supplemented by heuristic scans of all writable directories.
  2. Database scan: search for injected JavaScript in content, options, widget configurations and user tables.
  3. Client-side check: compare the scripts delivered in the browser against the approved list, focusing on the payment page.
  4. User and cron job audit: check for unknown admin accounts, scheduled tasks and tampered authentication keys.
  5. Assessment and quarantine: classify, isolate and document each finding -- without removing it immediately.
  6. Findings report: prioritized list of all findings with an entry-point hypothesis as the basis for cleanup.

Scan coverage is its own metric: how many files, which directories and which database tables were actually checked? A scan that only superficially probes the web root suggests a security that does not exist. In our maintenance packages we document coverage transparently so it remains traceable what was checked.

AspectSurface scanProfessional scanning
MethodologySignature matching onlyIntegrity, signature, heuristics, database
File integrityNo reference hashesSigned baseline, daily comparison
Payment pageNot checked separatelyContinuous client-side check
Backdoor detectionOften overlookedTargeted search in writable directories
DatabaseNot checkedScan for injected JavaScript
CoverageUnknownDocumented and traceable
OutcomeFalse sense of securitySolid findings report

Cleanup: Why Deleting Alone Is Not Enough

The real challenge begins after the finding. The obvious reaction -- deleting the visible malicious code -- is the most common cause of re-infection. As long as the exploited vulnerability is open and at least one backdoor was overlooked, the shop is compromised again within hours. One in five previously infected shops is re-infected within a few days (RiskIQ, 2025).

Solid cleanup therefore follows the clean-install principle: fresh installation of the code from a trusted source, restoration of verified content and data from a backup created before the compromise, and rotation of all credentials and keys. Which backup point is safe follows from the forensic timeline -- this is closely interwoven with a well-thought-out backup strategy and a clean recovery routine. Afterwards the exploited vulnerability is patched, otherwise everything was in vain.

Solid Cleanup in the Right Order

  1. 1

    Preserve evidence

    Create a complete image before any intervention -- premature deletion destroys the traces and makes root-cause analysis impossible.

  2. 2

    Analyze forensically

    Determine the entry point, timeline and scope of the compromise to find a safe backup point from before the infection.

  3. 3

    Clean install

    Reinstall the code from a trusted source and restore verified content from a clean backup.

  4. 4

    Rotate credentials

    Renew all passwords, API keys and authentication tokens so that stolen credentials become worthless.

  5. 5

    Patch the vulnerability

    Close the exploited gap -- without this step the shop is re-compromised within hours.

  6. 6

    Bring back online

    Return the cleaned and hardened shop to operation only after completed verification and an updated integrity baseline.

Order Matters

First preserve evidence (full image), then analyze, then clean, then patch -- and only then bring the shop back online. Anyone who swaps the steps risks loss of evidence and re-infection.

Post-Incident Hardening: Learning from the Incident

After cleanup comes hardening so the same attack does not work again. This includes the prompt application of all security updates, a Web Application Firewall with rules against the specific attack vector, restrictive write permissions in upload and cache directories and disabling PHP execution where only media files should reside. This is all the more urgent because organization-wide only 26 percent of critical vulnerabilities were fully remediated at all -- down from 38 percent the previous year (Verizon DBIR, 2025).

Two browser-side mechanisms additionally work against skimmers and supply chain attacks: Content Security Policy (CSP), which allows only explicitly approved script sources, and Subresource Integrity (SRI), which secures external scripts via a hash (OWASP, 2025; W3C, 2025). If an attacker changes an embedded script, the browser blocks execution. Combined with continuous integrity checking of the payment page, this creates a multi-layered defense that matches the PCI requirements exactly.

WAF with Vector Rules

A Web Application Firewall blocks the specifically exploited attack path and common exploit patterns before they reach the application.

Restrictive Write Permissions

No write access to code directories, no PHP execution in upload paths -- this removes the breeding ground for web shells.

CSP and SRI

Content Security Policy and Subresource Integrity prevent foreign or manipulated scripts from executing in the browser.

Continuous Monitoring

Constant alerts on file changes, new admin accounts and unusual outbound traffic drastically reduce detection time.

What a Malware Infection Really Costs

The average total cost of a data breach in 2025 was around 4.4 million US dollars globally (IBM Cost of a Data Breach, 2025). For small and medium shops the figure is lower, but the structure remains: cleanup and forensics are only the visible part. Added to this are lost revenue during downtime, the SEO ranking loss after a Google security warning, possible GDPR fines when customer data leaks and the hard-to-measure loss of trust. In addition, ransomware hit small and medium-sized businesses in 80 percent of reported cases (BSI security report, 2025).

Against this stands the cost of continuous scanning and maintenance, which is a fraction of these sums. This is precisely the economic core of a maintenance contract with performance and security monitoring: not the promise of absolute security, but the drastic reduction of both probability and detection time. The earlier a skimmer is discovered, the smaller the damage.

The most expensive infection is the one that stays undetected for months. Continuous scanning turns an existential crisis into a manageable incident.

Managed Service Agency

Scanning as Routine, Not as Emergency

The most effective protection is not a one-off scan after a suspicion, but a fixed routine. A daily full scan with file integrity monitoring, continuous surveillance of the payment page and a monthly deep audit of dependencies together form a safety net that makes infections visible in minutes instead of months. This routine cannot be run on the side -- it needs defined reference hashes, evaluated alerts and a clear cleanup process for the worst case.

This is exactly where our managed maintenance for online shops comes in: we set up the integrity baseline, operate the continuous scanning, assess the findings and harden the system after every incident. This keeps scanning a calm background routine -- and turns it into an emergency only when it truly is one. Anyone who reduces detection time from months to minutes takes away the most dangerous weapon from skimmers and backdoors: time.

It is important that scanning is embedded into the entire maintenance and update cycle. Every update can legitimately change file integrity -- so the signed reference must be regenerated and versioned after every planned deploy, so that no false alarm arises and no genuine finding slips through. Anyone who applies updates without subsequently refreshing the baseline silently disables their early warning system. That is precisely why update tests, baseline maintenance and the scan routine run together in one coordinated process at our agency, rather than in isolation. The result is a shop whose security posture is documented and traceable at all times -- and that responds in minutes rather than months when it matters.

This article is based on data from: Verizon Data Breach Investigations Report (2025), BSI report on the state of IT security in Germany (2025), RiskIQ Magecart telemetry (2025), IBM Cost of a Data Breach Report (2025), PCI Security Standards Council on PCI DSS v4.0 requirement 11.6.1 (2025), OWASP and W3C on CSP and Subresource Integrity (2025). The figures cited may vary depending on industry and attack scenario.