Our Forensics Manager James talks about the Magento threat alert.
Our forensic team have seen a number of recent cases involving Magento websites that have been hacked through the same malicious web shell. The details of the web shell are as follows:
Malicious Extension Name: Feed_Manager-2.0.7
We believe that this malicious extension has been named to be similar to the legitimate Feed Manager extension (which is currently offered as version 2.1.3 on http://www.magentocommerce.com) to evade casual review by web admins.
We would highly recommend that you ensure that your website is not affected by this malicious shell.
We located the extension through an .XML file at the following location:
html/dev/var/package/Feed_Manager-2.0.7.xml
html/dev/var/package/tmp/package.xml
The contents of the .XML file explicitly mentions two obfuscated web shells, which we found at the following locations:
html/dev/skin/frontend/base/data.php
html/dev/skin/frontend/base/info.php
Detection of this malicious file is challenging using regular expressions, due to high number of variations that could be incorporated.
While we (and the extension developer RetailTower) do not believe that there is any link to the legitimate Feed Manager extension, we would recommend any websites using Feed Manager to update to the latest version.
Security controls we would highly recommend to detect issues like this are:
Tamper-proof seal on your website files – file change monitoring.
Benj Hosack is a Director and co-Founder of Foregenix Limited. Foregenix is a specialist information security business delivering services in Forensics, PCI DSS, PCI P2PE, PA-DSS and information security solutions within the Payment Card Industry. Our technologies are designed to simplify security and PCI Compliance. Specialties: Cardholder Data Discovery - defining and reducing PCI DSS Scope / PA-DSS / PCI DSS / P2PE / Account Data Compromise Investigations. We are specialists in the Payment Card Industry and work with all types of companies in the payment chain (Acquiring banks, Processors, hosting providers, web designers, merchants, systems integrators etc).