Magento Exploit - Stealing Customer Info Including Card Details - Check your site now!
We have detected malicious code running on one of our client’s Magento websites. The code in question is harvesting customer details which are then being stolen.
The process is not very sophisticated though it does seem to be effective. Unfortunately investigating it further it seems that there are a number of hacked sites and there are even sensitive details including, in some cases, credit card information that is visible in Google’s own cache.
Analysis
As is common with this kind of exploit, there is a PHP file that then calls eval
on a base64 encoded set of code.
In this case, the file was called abstractleft.php and was located in the Magento shell directory. The contents of the file begin with this:
<?PHP
eval(gzinflate(base64_decode('7f3/Xxs38jiO/36Px/0Pyta92K1tDEnaBg....
The top of the file indicates that it is a web shell.
/* WSO 2.1 (Web Shell by pgems.in) */
The file is being used to generate a dump of data, with regular POST requests coming from the IP: 46.21.151.107
In the case of our client, the issue is being resolved quickly and only seems to have been live for a day or so, however looking through Google’s index its clear that there are other sites that have been leaking a lot of data.
In the worst case, the Magento sites have been using the Saved Credit Card payment method. This means that the data scrapes have been pulling customer details and also the full card details. This is another reason why it is a really bad idea to use the Saved Credit Card payment method.
Defense
It is not clear exactly how the client server was compromised however it is important to ensure that all access credentials are updated and also firewall rules are reviewed and updated.
Ideally we would like to know exactly how the attacker gained access to the server to place the exploit file. This involves examining security logs and other logs. If the attack is not too sophisticated then there is a good chance that there is a lot of debug information that should be helpful in finding out exactly how the attack has taken place.
The main thing for Magento sites now though is to ensure that all security patches have been applied. If your live site has not been patched then really you must expect this kind of hack.