Magento Shoplift (SUPEE-5344) Site Remediation

SUPEE-5344 has been in the wild for a while now, but this is the first site that we’ve had an opportunity to re-mediate.

The basic effects of the site is that the site start serving up hidden content links with a variety of pharma based stealth links. Links containing references to various pharma like Viagra etc, are ONLY present when they get crawled by the Google Bot. The way we detected it was to alter our browser’s UA to appear to be a Google Bot.

We then proceeded to diff all of the files that were changed and discovered the main culprits.

First the main “index.php” file was modified to include a file called “lib/Zend/Tool/Project/Context/System/functions.php” We are still trying to figure out what that file does, but it contains MB functions that are very similar to WP functions (ie: mb_get_query_template/etc). This entire file appears to be custom built specific to the customer’s Magento install. There are specific references to their custom Magento Theme throughout. As soon as the reference to that “functions.php” file was removed from the “index.php” file, the stealth links were stopped from being served. It seems very similar to this article

Case is till ongoing, but hopefully this information could help others.

Update 5/19/15
After running a turnkey scan these other infected files were located:
/mageroot/app/code/core/Mage/Adminhtml/Model/System/Config/Source/Shipping/cache.php
/mageroot/app/code/core/Mage/Checkout/Block/Multishipping/list.php
/mageroot/app/code/local/FavoredMinds/Vendor/controllers/Adminhtml/users.php
/mageroot/media/catalog/product/p/e/peacock-pi_1.php
/mageroot/media/catalog/product/g/r/cache.php
/mageroot/skin/adminhtml/default/default/images/xmlconnect/.index.php
/mageroot/blog/wp-content/plugins/wp-hide-post/.config.php
/mageroot/blog/wp-content/plugins/w3-total-cache/inc/options/support/form/.list.php