Cybersecurity Insights

Benjamin Hosack

Magento Threat Alert - Feed_Manager – 2.0.7

11/03/15 12:02

Our Forensics Manager James talks about the Magento threat alert.

Our forensic team have seen a number of recent cases involving Magento websites that have been hacked through the same malicious web shell. The details of the web shell are as follows:

Malicious Extension Name: Feed_Manager-2.0.7

retailtower

We believe that this malicious extension has been named to be similar to the legitimate Feed Manager extension (which is currently offered as version 2.1.3 on http://www.magentocommerce.com) to evade casual review by web admins.

We would highly recommend that you ensure that your website is not affected by this malicious shell.

We located the extension through an .XML file at the following location:

html/dev/var/package/Feed_Manager-2.0.7.xml

html/dev/var/package/tmp/package.xml

The contents of the .XML file explicitly mentions two obfuscated web shells, which we found at the following locations:

html/dev/skin/frontend/base/data.php

html/dev/skin/frontend/base/info.php

Detection of this malicious file is challenging using regular expressions, due to high number of variations that could be incorporated.

While we (and the extension developer RetailTower) do not believe that there is any link to the legitimate Feed Manager extension, we would recommend any websites using Feed Manager to update to the latest version.

Security controls we would highly recommend to detect issues like this are:

  • Tamper-proof seal on your website files – file change monitoring.
  • Log monitoring and alerting
  • Malware detection

This is all provided as a part of our FGX-Web solution.

As we find more information on this malicious shell, we will update our blog.

Please get in touch if you identify this malicious malware on your website – we can help!

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More