Close

July 1, 2015

Magento Shoplift (SUPEE-5344) Site Remediation Helper

We finished doing an initial remediation on a site infected with SUPEE-5344 (See previous article). We built a script that we tuned to try and find files infected with our particular variant of this nasty bug. We are providing it (without support/warranty) to the rest of the eCommerce world in the hopes it may help some folks clean their shop.

We highly recommend that folks get a web application firewall like Incapsula or Cloudways nowadays. Its not fool-proof, but it can help mitigate some of these exploits before they begin.

Please note that this script will NEED to be adjusted to your environment and your particular infection. This WILL generate a lot of false positives so you will need to tune it. Please note this was a very quick script so it can definitely be improved upon. Please feel free to contact us if you have any suggestions/improvements.

Magento Shoplift (SUPEE-5344) Remediation Helper

<?php
//extensions to ignore
$extensions = array("gif","png","pdf","bmp","jpg","gz","svn","csv","xml","old","js","txt","wsdl","tif","woff","ttf");
 
//files to ignore
$ignore = array(
    "/home/site/public_html/app/code/community/Auctane/Api/Model/Server/Adapter.php",
    "png",
);
 
$myfile = fopen("badfiles.txt", "w");
$path = realpath('/home/magedir/public_html');
 
//Keywords to trigger on.
$alarms=array(
    '$auth_pass',
    'zipfile_mod',
    'yummy',
    'loglogin'
    );
 
$objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
foreach($objects as $name => $object){
 
    $adot = substr($name, -1);
    $twodots = substr($name, -2);
    if(in_array($name, $ignore)) continue;
 
 
    $info = new SplFileInfo($name);
 
   if( ("."!==$adot) && (".."!==$twodots) ){
    $fname=$info->getFileName();
    if( (stripos($fname, ".svn") !== false))
        continue;
        if(!in_array(strtolower($info->getExtension()), $extensions)){  
            $handle = fopen($name, 'r');
            $valid = false; // init as false
            $alarmname='';
            while (($buffer = fgets($handle)) !== false) {
                foreach($alarms as $alarm){
                    if(    stripos($buffer, $alarm) !== false){
                        $valid=true;
                        $alarmname=$alarm;
                        break;
                    }
                }
                if($valid) break;
 
            }   
            fclose($handle);
            if($valid)
                fwrite($myfile, $name." ($alarmname) \n");
         }
   }
}
fclose($myfile);
?>

Recent Posts