gwillem / magento-malware-scanner

Scanner, signatures and the largest collection of Magento malware
GNU General Public License v3.0
679 stars 153 forks source link

Add rogue CloudConnectERP backdoor check #176

Closed gwillem closed 6 years ago

gwillem commented 6 years ago

The (now defunct) Cloud Connect ERP Magento plugin for SAP integration (published by B2b2dot0) was probably once legitimate, but a version circulates in the wild that is used as a webshell launcher. Upon installation, it places several backdoors:

/skin/edit.php
/skin/viewer.php
/skin/cli.php

In one particular case, an attacker brute forced their way into the admin panel, installed this extension, and then uses /skin/edit.php to place more backdoors.