Our Forensics Manager James talks about the Magento threat alert.
Our forensic team have seen a number of recent cases involving Magento websites that have been hacked through the same malicious web shell. The details of the web shell are as follows:
Malicious Extension Name: Feed_Manager-2.0.7
We believe that this malicious extension has been named to be similar to the legitimate Feed Manager extension (which is currently offered as version 2.1.3 on http://www.magentocommerce.com) to evade casual review by web admins.
We would highly recommend that you ensure that your website is not affected by this malicious shell.
We located the extension through an .XML file at the following location:
html/dev/var/package/Feed_Manager-2.0.7.xml
html/dev/var/package/tmp/package.xml
The contents of the .XML file explicitly mentions two obfuscated web shells, which we found at the following locations:
html/dev/skin/frontend/base/data.php
html/dev/skin/frontend/base/info.php
Detection of this malicious file is challenging using regular expressions, due to high number of variations that could be incorporated.
While we (and the extension developer RetailTower) do not believe that there is any link to the legitimate Feed Manager extension, we would recommend any websites using Feed Manager to update to the latest version.
Security controls we would highly recommend to detect issues like this are:
This is all provided as a part of our FGX-Web solution.
As we find more information on this malicious shell, we will update our blog.
Please get in touch if you identify this malicious malware on your website – we can help!