Magento Shoplift Bug (SUPEE-5344) & How To Fix It Once Infected

On February 9, 2015 Magento issued a patch for the Shoplift Bug (SUPEE-5344), a vulnerability that opens you up to potential remote code execution exploits.

Unfortunately, I have had to deal with two sites that weren’t patched in time and fell victim to the exploit. Looking round the web there was a lot of information letting people know the patching process and the risks of not patching as soon as possible, however, I couldn’t find much in the way of fixing an already infected site.

Obviously the best and safest way to solve this is by reverting to a safe copy and patching that, but if you land in a position like myself and don’t have access to such luxuries then below is a list of steps that might help you out.

Firstly, here are some common symptoms of the Shoplift Bug, many of which I saw occur:

  • Unauthorized admin users added under System -> Permissions -> Users
  • Passwords of current admin users changed
  • Current admin accounts deleted completely (how to fix)
  • Unauthorized .csv file exports in var/export/
  • New vouchers being created/used out of the blue
  • PHP files in media/ directory
  • Messed up permissions
  • New pages added, often with customer data inside

For more symptoms and to use Byte’s Shoplift Bug tester click here…

Now, down to the nitty gritty.

Below are the affected files I found in my ventures and some more compiled from around the web. I will point out though that one of the sites I checked seemed as if it had also fallen victim to a different exploit too (specifically SUPEE-1533 from Oct 3, 2014) so some of these may not be relevant in your situation. Certainly no harm in checking anyway though!

Changed files/directories:

  • index.php
  • js/index.php
  • js/ccard.js
  • lib/Varien/Db/Adapter/Pdo/Mysql.php
  • app/code/core/Mage/Cms/controllers/IndexController.php
  • downloader/cache.cfg
  • downloader/pearlib/php/PEAR/Command/Mage.php
  • downloader/pearlib/php/PEAR/Installer/Role/Mage.php
  • lib/Varien/Autoload.php

Newly added files/directories:

  • js/api.php
  • app/code/community/Magpleasure/
  • app/design/adminhtml/default/default/layout/filesystem.xml
  • app/design/adminhtml/default/default/template/filesystem/
  • app/etc/modules/Magpleasure_Filesystem.xml
  • downloader/.cache/community/File_System-1.0.0.tgz
  • js/editarea/
  • js/filesystem/
  • js/File_System-1.0.0.tgz
  • skin/adminhtml/default/default/filesystem/
  • var/importexport/*.csv (check any files here as I found a nasty code hidden inside a spreadsheet file in this location)
  • media/dhl/info.php
  • js/flash/FrontendHtml.phar.php
  • js/extjs/resources/images/magento/basic-dialog/MagentoLib.php

These are all affected files I have found so far but I’m sure many more could just as easily be edited. If you notice anything extra in your installations let me know in the comments below and I’ll get it added to the list too.

Tips to fix:

In your FTP client of choice there is usually an option to order files/directories by date modified. If you take a look at the files that have been edited recently chances are you can get an idea of when the exploit took place and fix any suspicious files edited around that date accordingly.

It is also helpful to have reference to what has been added to these files so that you don’t delete anything important. The best way to do this is if you have a clean copy for comparison. If this is not the case you should download a fresh copy of your Magento version and use that for comparison.

Also, on the note of clean copies (if you do have one) another option could be to export your recent customer/order information and inject it into an older, safer copy you have lying around.

And last but not least…

Here are a couple of things that you should do after everything looks fixed:

  • Change all admin passwords
  • Change database password
  • Install all patches (clear cache and recompile after)
  • Fix all permissions
  • Keep a close eye on your sites access log, user list and any affected files for a few weeks to make sure they aren’t hit again.

EDIT: Just found Check Point vulnerability analysis which is definitely worth a  read to get in the mind of an attacker using this exploit. Check it out here…