Malicious ShopSearcher Script

Labs Note

We see a strong trend in hacking ecommerce sites in order to hijack payment process and steal customers credit card details. During the last couple of years, we wrote multiple times about attacks that target Magento, OpenCart, PrestaShop, Woo Commerce and other ecommerce platforms.

Recently we found one more proof of increased attention to ecommerce sites from hackers. On one hacked WordPress site, among other uploaded backdoors, we found quite a big script (>600 lines of code) script whose only purpose was to scan the compromised server for online shop sites.

$start_from = ReqParamPost('start');$last       = ReqParamPost('last');$sca = new ShopSearcher( AbsDir(), 10, $start_from, $last, 9.0, 25 );$ret = $sca->Scan();echo MakeResponseStr($ret);

This script scans the server account for file patterns of known ecommerce platforms and then displays paths and types of the found online stores. The current version of the script detects the following 11 platforms:

  • 1. OpenCart
  • 2. osCommerce
  • 3. Magento
  • 4. PrestaShop
  • 5. ZenCart
  • 6. CS-Cart
  • 7. WooCommerce
  • 8. WP Marketplace plugin
  • 9. X-Cart
  • 10. Interspire Shopping Cart
  • 11. WP Checkout plugin

Interesting enough, for Woo Commerce sites this script also checks the number of registered users and if the number is lower than 200, the site doesn’t make it in the list of found ecommerce sites.

$nu = WPDB_QueryNumUsers($fn_wp_config);            if ( $nu >= 200 ){    $this->mFoundShit []= array(6, $pAbsFile);}else{    LogAdd("Ignoring WOO-COMMERCE.. Not enough users ($nu)");}

If you own an ecommerce site, the site security should be one of your priorities. If it is hacked, virtually nothing can stop hackers from stealing your customer’s payment details (especially if you hast payment forms on your own site). We always advised against hosting different sites under the same hosting account as this setup leads to infection of all the sites if only one of them has a security hole. This ShopSearcher script once again proves that you should isolate your ecommerce site from your rest sites. Proper isolation will reduce the attack surface and even if the site gets hacked, the subsequent cleanup and hardening will be much easier.

You May Also Like