gwillem / magento-malware-scanner

Scanner, signatures and the largest collection of Magento malware
GNU General Public License v3.0
679 stars 153 forks source link

Unable to determine how the injection occurs! #4

Closed ghost closed 7 years ago

ghost commented 8 years ago

Man, please tell us how the js code, which grabs the credit card details, is inserted into Magento. Its a client side problem or something in Magento?

fhightower commented 8 years ago

Good question @GitHubFernando . Let me preface my response by noting that I am not extremely familiar with Magento.

That being said, looking over some of the security vulnerabilities that Magento has identified in the past (see: Magento Security Patches), I think it is most likely that an infected system was not running a patched version of Magento and was compromised using a known vulnerability. Mage Report is a good tool to make sure your website running Magento is fully patched.

Additionally, Magento has published a couple of articles on Magento Security detailing the process for cleaning up and securing an infected site moving forward.

If anyone else has any information regarding the infection vector, please feel free to chime in!

ghost commented 8 years ago

Hi thank you for your time!!

I would like to know how the javascript code was inserted into sites affected by this treat: https://support.hypernode.com/knowledgebase/how-to-fix-credit-card-hijack/

This site has been affected https://alfaadventure.com.br/ but i don't know how it was injected...

Thanks!!

On Mon, Oct 24, 2016 at 2:28 AM, Blake Whitkanack notifications@github.com wrote:

Let me know if I can answer any specific questions. I have 8 years of distinguished Magento experience. I've been an Authorize.NET Payment Reseller / Solution Provider for over 5 years, specializing in payment solutions and fraud prevention.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/ecommerce-malware-collection/issues/4#issuecomment-255645793, or mute the thread https://github.com/notifications/unsubscribe-auth/AHEHT7_zB3L1ygzVXe5MgMf8WQxpklipks5q3DQLgaJpZM4KbAjM .

Microsoft Certified Systems Engineer - MCSE +Security

Microsoft Certified Systems Administrator - MCSA Microsoft Certified Technology Specialist - Virtualisation Telefone: +55 (48) 8471 7107 Email: fernando.rodrigues.ti@gmail.com fernando.rodrigues.ti@gmail.com

ghost commented 8 years ago

Tnx for you explanation!!!

I will check my backend!

On Wed, Oct 26, 2016 at 2:25 AM, Blake Whitkanack notifications@github.com wrote:

Someone broke into your server and injected it via "creating a custom extension, modifying the code of an existing extension, overloading core functions or making use of the auto loading xml theme layout files".

I most likely won't be teaching you how to create an extension, modify an existing extension, overload a core function or make use of auto loading xml theme layout files.

You didn't secure your server. Once someone has access to your server, they can do anything.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/ecommerce-malware-collection/issues/4#issuecomment-256246258, or mute the thread https://github.com/notifications/unsubscribe-auth/AHEHTwv_qH4tqokGUaoYQd6a7vaqdJQNks5q3tYqgaJpZM4KbAjM .

Microsoft Certified Systems Engineer - MCSE +Security

Microsoft Certified Systems Administrator - MCSA Microsoft Certified Technology Specialist - Virtualisation Telefone: +55 (48) 8471 7107 Email: fernando.rodrigues.ti@gmail.com fernando.rodrigues.ti@gmail.com

gwillem commented 7 years ago

So far, entry points are non-patched software (notably the Magento Shoplift patch SUPEE-5344) and weak admin passwords that get brute forced. There are theoretically numerous other ways that people can get access to Magento internals. The best approach is to follow the best practices as published by Magento: https://magento.com/security/best-practices