Hi, I have been investigating an attack on a site that happened around the end of 2016. In the attack a jpeg image was uploaded with PHP code appended. This is the image (with code removed).

Unfortunately we do not have logs from the period when the attack happened. I can well believe that the admin passwords may have been brute forced or we weren't quick enough applying SUPEE-8788

Doing a google image search I see plenty of other examples of magento 1 stores attacked with similar images. The names of the images vary but they are always uploaded to the media/catalog/category directory of the attacked store. The code at the end of these images also differs in purpose. Some just dropping a web shell, or simple backdoor but also sometimes installing the Visbot malware.

The puzzling part is how these images are used to gain PHP execution of the appended code. In particular the first line of the code does this.

$p = str_replace('index.php','',$_SERVER['SCRIPT_FILENAME']);

with $p then being used as the base path for writing the attack files.

This would seem to indicate that the code is executed through

public/index.php

The only construct I can think of that would excute a jpeg as PHP code through /index.php is something like:

require 'media/catalog/category/imagefile.jpg';

But have no idea how that could occur.

One interesting thing to note is that in the wild the images are sometimes used as category headers as they would be if uploaded through the category admin e.g.

Does anyone else have any experience of these attacks? Or do you have any clue how the code execution works? AFAIK MagPleasure's File System module was not installed which seems to be a common route to web shell from admin access.