It’s a nightmare. Your production environment was compromised and you actually don’t know how and how much data was stolen. For sure there are different ways to be compromised. In this post I just want to explain, how hackers can get full access to your production environment by using image files.
As explained on Snapfast and Sucuri it is pretty easy to store any kind of PHP code in EXIF headers. Often times it only needs a simple script to create an administrator account. If you are using third-party extensions with an image upload function or if you are late with the last security update, there is a high risk to be compromised.
You can use commands like svn status or git status to find changes, but this is no guarantee to find malicious code, because oftentimes your /media/ or similar folders are not version controlled.
Here is one simple command how you can find infected image files.
1 2 |
$ cd /var/www/{{{MAGENTO}}}/ $ find . -iregex '.*\.\(jpg\|gif\)' -exec grep -o -P 'base64_decode' {} \; |
In case if any file is infected, you will see the following search result.
1 |
Binary file ./media/test.jpg matches |