Webshell Alerts - Filesman and P.A.S

With a varied and interesting customer base, our forensic team get to see a lot of threats in the early stages of a growing trend.  Over the last few weeks, we’ve helped a number of online businesses running Magento stores who have fallen victim to attackers using the following webshells as the entry point to launch their malware attacks:

• FilesMan
• P.A.S.

In multiple, separate incidents, both webshells have been utilised to install malicious code (malware) onto the target websites in the following location:

'lib/Varien/Object.php'

The installed code (malware) then serialised any request cookies and appended them to the file under the 'media/catalog/product' location:

These cookies have been found to include stolen credit and debit cardholder data, which had been base64 encoded to evade detection.

The harvested files were then made publicly accessible for later collection by the attackers.

These attacks are relatively simple to defend against – if you have the right type of defence on your website.

Like many of the attacks we have written about in the last 6 – 12 months, they can easily be defended by using an effective defence in depth strategy.  A very simple, yet effective strategy would be as follows:

1. Firstly, check your website for malware, webshells, backdoors.  You can do this easily by installing our FGX-Web solution, which includes malware scanning as default.  Using both commercial tools and built-in heuristic detection, FGX-Web will alert you on any suspicious code. 
   
   Once you have checked for malware/webshells/backdoors and removed any suspicious code from your website, you know that your website is now “clean”.  You then add the next layer of defence onto your website.

2. Place a Tamper Evident Seal on your website.  Similar to the seals that you find on a jar of jam in the supermarket – if the little popper is up, you know that the jar’s seal has been broken.  In the same was you need to have a Tamper Evident Seal on your website to tell you when changes are being made.  Changes that you make are fine, obviously.  Changes that you did not make are NOT fine – they are a good indicator of hacker activity.
   
   FGX-Web will provide this Tamper Evident Seal for your website as a default.  This means that once you have cleaned your website in stage 1, you are now monitoring changes on your website.  If the attackers have another entrance to your website that you have not identified, the Tamper Evident Seal in FGX-Web will alert the minute they start making changes to your website – whether that is the upload of new code, the changing of products, creation of new files.  Anything that changes is logged for you to check.
   
   With the Tamper Evident Seal and the automated malware detection in place, you can now add the next layer of defence.

3. Scan for unprotected credit and debit card data.  Attackers are looking for ways to steal data that is valuable – your transaction data on your eCommerce website is the easiest data to monetize.  If you detect unprotected credit or debit cardholder data on your website, either your developers have designed an insecure payment process for your website, OR you have just detected an active attack and theft of your transaction data.  Daily checks are highly recommended as an effective layer of monitoring to detect attacks.
   
   If you have decided to use FGX-Web to do the malware checks and to place a Tamper Evident Seal on your website, you will also benefit from FGX-Web’s daily checks of the website file system and database for unprotected credit and debit cardholder data.  Fully automated.
   
   With the daily checks for unprotected credit and debit cardholder data in place, you can now add the next layer of defence.

4. Use a Web Application Firewall to filter internet attacks out before they reach your website.  An effective web application firewall will defend a website against the vast majority of internet-based attacks. 
   
   While quite a technical solution to implement as a standalone solution, if you have decided to use FGX-Web to provide you with the malware checks, a Tamper Evident Seal and daily scans for unprotected payment card data, you are also able to use the built in web application firewall, which is simple to deploy and managed by Foregenix web security experts.

Securing your website can be straightforward - with appropriate technology and policies in place, you will be able to defend your online business against the most aggressive attacks, with little effort.  

Here's a free ebook available for download that breaks website security down into jargon-free, simple steps - 7 Tips to Secure Your Website.