My site was attacked by someone who was able to upload scrips into the
/media/rt-tinymce-uploads directory (0755). This website is fully patched using all the recommended security practices. From what I found online this hack has been in the wild for several months.
From what I saw in the PHP file this is a credit card scrapper which thankfully we dont store on the website. The PHP file was also unable to access the database which saved the day.
There was three files php files in this directory. One was a smaller uploader script which was inserted about 4 days after the SUPEE-8788 vulnerabilities where announced. Prior to the security patch being applied.
The Store is 1.9.2.3 with all the recent security patches applied. Magereport shows all Green.
[Update 2]:
After going back through old backups it looks like the vulnerability from SUPEE-8788 was exploited on my website about 4 days after it was announced at this time a small PHP file was uploaded which allowed additional PHP files to be uploaded at a later date. Since the file was inserted prior to the patch the door was open.
So my recommendation to myself and others is to check your /media folder for any PHP files. There shouldn't be any there.
I also added a .htaccess file to this directory that prevents PHP code execution. I did find a handful of websites that have been exploited this way with a simple google search for a few keywords found in the PHP code.
Hi @Ericclay, thanks for reporting back with your update. I'm glad you were able to figure out what happened and get it resolved.
I did reach out to our security team with their post and received the following:
It is uncommon for the standard Magento installation to let the attacker to upload the PHP files. Usually Magento stores are hacked utilizing security issues of third-party extensions like “VP_WebForms” (VladimirPopov_WebForms)
The ‘rt-tinymce-uploads’ folder does not belong to the magento logic. There is no mentions of that directory in the source code.
The ‘media’ directory is definitely not the place for the .php files since it is accessible to the ‘outer world’.
Without further details, I’m not sure whether the attack has been done using LFI exploit through TinyMCE. I believe the folder name has been chosen to point to the wrong place to look at.
Directory deletion or disallowing PHP files execution will help but not for long time. And the next time the attacker can choose a different directory name.
One additional thing I would suggest to check is the new unknown admin accounts and maybe it would be better to change the admin password.
Thanks for the reply sherrie,
I have the two attack .php files if they're of any use for your security team. I can zip those up and email them to you if you like.