Hacking

E-skimmers Were Used To Attack Over 500 Magento-Based E-Stores.

Sansec discovered a major hack affecting over 500 Magento 1 ecommerce companies last week. A payment skimmer loaded from the naturalfreshmall.com domain infected all of the stores. We requested users  to contact us so that we could discover a common entry point and safeguard other merchants against a potentially new attack.

The first investigation is now complete: attackers gained control of the Magento store using a smart combination of SQL injection (SQLi) and PHP Object Injection (POI) attacks.

Researchers reported that,” the attackers planted a total of 19 backdoors on the machine. To disinfect the system and avoid re-infection, each and every one of them must be removed.

The attack chain begins with the use of a known vulnerability in the Quickview plugin to inject rogue admin users into susceptible Magento stores. The attackers used the flaw to add a validation rule to the customer eav attribute table in the situations investigated by the experts.

A POI payload is included in the added validation rule, which is used to fool the host application into creating a malicious object. The attacker can trigger an unserialize and the execution of the backdoor by simply browsing the Magento sign up page, using the validation rules for new customers.

The attacker can then use the api 1.php backdoor to run any PHP code.

Finally the researchers concluded that,” Adobe has declared the Magento 1 platform End-Of-Life, although thousands of professional merchants continue to use it. Because Adobe no longer provides security fixes, we urge that you take extra precautions to keep your store secure. Malware detection is critical . Patches from the community are also available for Magento 1. Either open-source through OpenMage or commercially supported through Mage-One.

Indicator Of Compromise 

132.255.135.230 US 52485  networksdelmanana.com
132.255.135.51  US 52485  networksdelmanana.com
138.36.92.216   US 265645 HOSTINGFOREX S.A.
138.36.92.253   US 265645 HOSTINGFOREX S.A.
138.36.93.206   US 265645 HOSTINGFOREX S.A.
138.36.94.2     US 265645 HOSTINGFOREX S.A.
138.36.94.224   US 265645 HOSTINGFOREX S.A.
138.36.94.241   US 265645 HOSTINGFOREX S.A.
138.36.94.59    US 265645 HOSTINGFOREX S.A.
138.94.216.131  US 263744 Udasha S.A.
138.94.216.172  US 263744 Udasha S.A.
138.94.216.186  US 263744 Udasha S.A.
138.94.216.230  US 263744 Udasha S.A.
141.193.20.147  US 64249  ENDOFFICE
144.168.218.117 US 55286  SERVER-MANIA
144.168.218.136 US 55286  SERVER-MANIA
144.168.218.249 US 55286  SERVER-MANIA
144.168.218.70  US 55286  SERVER-MANIA
144.168.218.94  US 55286  SERVER-MANIA
144.168.221.92  US 55286  SERVER-MANIA
186.179.14.102  US 52393  Corporacion Dana S.A.
186.179.14.134  US 52393  Corporacion Dana S.A.
186.179.14.179  US 52393  Corporacion Dana S.A.
186.179.14.204  US 52393  Corporacion Dana S.A.
186.179.14.44   US 52393  Corporacion Dana S.A.
186.179.14.76   US 52393  Corporacion Dana S.A.
186.179.14.97   US 52393  Corporacion Dana S.A.
186.179.39.183  US 52393  Corporacion Dana S.A.
186.179.39.226  US 52393  Corporacion Dana S.A.
186.179.39.35   US 52393  Corporacion Dana S.A.
186.179.39.7    US 52393  Corporacion Dana S.A.
186.179.39.74   US 52393  Corporacion Dana S.A.
186.179.47.205  US 52393  Corporacion Dana S.A.
186.179.47.39   US 52393  Corporacion Dana S.A.
191.102.149.106 US 394474 WHITELABELCOLO393
191.102.149.197 US 394474 WHITELABELCOLO393
191.102.149.253 US 394474 WHITELABELCOLO393
191.102.163.202 US 394474 WHITELABELCOLO393
191.102.163.208 US 394474 WHITELABELCOLO393
191.102.163.7   US 394474 WHITELABELCOLO393
191.102.163.74  US 394474 WHITELABELCOLO393
191.102.170.173 US 394474 WHITELABELCOLO393
191.102.170.81  US 394474 WHITELABELCOLO393
191.102.174.128 US 394474 WHITELABELCOLO393
191.102.174.211 US 394474 WHITELABELCOLO393
191.102.174.239 US 394474 WHITELABELCOLO393
191.102.174.247 US 394474 WHITELABELCOLO393
191.102.174.52  US 394474 WHITELABELCOLO393
191.102.179.22  US 394474 WHITELABELCOLO393
191.102.179.31  US 394474 WHITELABELCOLO393
191.102.179.62  US 394474 WHITELABELCOLO393
192.198.123.164 US 55286  SERVER-MANIA
192.198.123.225 US 55286  SERVER-MANIA
192.198.123.226 US 55286  SERVER-MANIA
192.198.123.43  US 55286  SERVER-MANIA
192.241.67.128  US 55286  SERVER-MANIA
193.32.8.1      US 201814 Meverywhere sp. z o.o.
193.32.8.33     US 201814 Meverywhere sp. z o.o.
193.32.8.63     US 201814 Meverywhere sp. z o.o.
193.32.8.76     US 201814 Meverywhere sp. z o.o.
193.8.238.91    US 60781  LeaseWeb Netherlands B.V.
195.123.246.212 CZ 204957 ITL-Bulgaria Ltd.
198.245.77.132  US 55081  24SHELLS
198.245.77.217  US 55081  24SHELLS
198.245.77.253  US 55081  24SHELLS
206.127.242.99  US 201106 Spartan Host Ltd
209.127.104.174 US 55286  SERVER-MANIA
209.127.105.225 US 55286  SERVER-MANIA
209.127.105.73  US 55286  SERVER-MANIA
209.127.106.211 US 55286  SERVER-MANIA
209.127.106.44  US 55286  SERVER-MANIA
209.127.107.141 US 55286  SERVER-MANIA
209.127.107.169 US 55286  SERVER-MANIA
209.127.107.187 US 55286  SERVER-MANIA
209.127.109.138 US 55286  SERVER-MANIA
209.127.109.225 US 55286  SERVER-MANIA
209.127.109.87  US 55286  SERVER-MANIA
209.127.110.144 US 55286  SERVER-MANIA
209.127.110.177 US 55286  SERVER-MANIA
209.127.111.68  US 55286  SERVER-MANIA
209.127.111.99  US 55286  SERVER-MANIA
209.127.116.101 US 55286  SERVER-MANIA
209.127.116.167 US 55286  SERVER-MANIA
209.127.116.231 US 55286  SERVER-MANIA
209.127.117.214 US 55286  SERVER-MANIA
209.127.117.49  US 55286  SERVER-MANIA
209.127.118.136 US 55286  SERVER-MANIA
209.127.118.96  US 55286  SERVER-MANIA
209.127.172.15  US 55081  24SHELLS
209.127.172.60  US 55081  24SHELLS
209.127.172.99  US 55081  24SHELLS
209.127.173.13  US 55081  24SHELLS
209.127.173.154 US 55081  24SHELLS
209.127.173.215 US 55081  24SHELLS
209.127.174.177 US 55081  24SHELLS
209.127.175.113 US 55081  24SHELLS
209.127.97.6    US 55286  SERVER-MANIA
209.127.98.244  US 55286  SERVER-MANIA
209.127.98.81   US 55286  SERVER-MANIA
209.127.98.91   US 55286  SERVER-MANIA
209.127.99.16   US 55286  SERVER-MANIA
209.127.99.205  US 55286  SERVER-MANIA
217.170.207.111 NO 34989  ServeTheWorld AS
23.106.125.64   SG 59253  Leaseweb Asia Pacific pte. ltd.
45.72.112.143   US 55081  24SHELLS
45.72.18.133    US 55081  24SHELLS
45.72.18.234    US 55081  24SHELLS
45.72.18.236    US 55081  24SHELLS
45.72.31.112    US 55081  24SHELLS
45.72.85.178    US 55081  24SHELLS
45.72.86.142    US 55081  24SHELLS
45.72.86.201    US 55081  24SHELLS

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s