Audit

It’s a nightmare. Your production environment was compromised and you actually don’t know how and how much data was stolen. For sure there are different ways to be compromised. In this post I just want to explain, how hackers can get full access to your production environment by using image files.

As explained on Snapfast and Sucuri it is pretty easy to store any kind of PHP code in EXIF headers. Often times it only needs a simple script to create an administrator account. If you are using third-party extensions with an image upload function or if you are late with the last security update, there is a high risk to be compromised.

You can use commands like svn status or git status to find changes, but this is no guarantee to find malicious code, because oftentimes your /media/ or similar folders are not version controlled.

Here is one simple command how you can find infected image files.

$ cd /var/www/{{{MAGENTO}}}/
$ find . -iregex '.*\.\(jpg\|gif\)' -exec grep -o -P 'base64_decode' {} \;

1 2	$ cd /var/www/{{{MAGENTO}}}/ $ find . -iregex '.*\.$jpg\\|gif$' -exec grep -o -P 'base64_decode' {} \;

In case if any file is infected, you will see the following search result.

Binary file ./media/test.jpg matches

1	Binary file ./media/test.jpg matches

Improve your bug fixing routine with some simple grep commands. Run these commands before any production deployment just to make sure your new code is working properly. To reduce the output on your terminal, extend my examples as you can see below.

Count the results with ” wc -l ” at the end.

$ grep -oi 'undefined index' system.log | wc -l

1	$ grep -oi 'undefined index' system.log \| wc -l

Display the 1000 rows with ” tail -n 1000 ” at the beginning.

$ tail -n 1000 system.log | grep -i 'undefined index'

1	$ tail -n 1000 system.log \| grep -i 'undefined index'

1. System.log

1.1 Access to an array by a key that doesn’t exist

$ grep -i 'undefined index' system.log

1	$ grep -i 'undefined index' system.log

1.2 Use a variable that wasn’t previously defined

$ grep -i 'undefined variable' system.log

1	$ grep -i 'undefined variable' system.log

1.3 Debug output generated by Mage::log()

$ grep -i 'debug' system.log

1	$ grep -i 'debug' system.log

1.4 Any kind of permission issues

$ grep -i 'permission denied' system.log

1	$ grep -i 'permission denied' system.log

1.5 Missing Magento template files

$ grep -i 'not valid template file' system.log

1	$ grep -i 'not valid template file' system.log

1.6 Access to a non-object

$ grep -i 'trying to get property of non-object' system.log

1	$ grep -i 'trying to get property of non-object' system.log

1.7 Missing argument in a function call

$ grep -i 'missing argument' system.log

1	$ grep -i 'missing argument' system.log

1.8 Invalid argument supplied to a loop

$ grep -i 'invalid argument supplied' system.log

1	$ grep -i 'invalid argument supplied' system.log

Find all:

$ cat system.log | egrep -i '(debug|notice: undefined|permission denied|not valid template file|trying to get property of non-object|missing argument|invalid argument supplied)'

1	$ cat system.log \| egrep -i '(debug\|notice: undefined\|permission denied\|not valid template file\|trying to get property of non-object\|missing argument\|invalid argument supplied)'

2. Exception.log

2.1 Any kind if XML issues

$ grep -i 'xml schema' exception.log

1	$ grep -i 'xml schema' exception.log

2.2 Specific Authorize.net gateway issues

$ grep -i 'paygate.*gateway' exception.log

1	$ grep -i 'paygate.*gateway' exception.log

2.3 Specific PayPal gateway issues

$ grep -i 'paypal.*gateway' exception.log

1	$ grep -i 'paypal.*gateway' exception.log

2.4 Find general curl issues

$ grep -i 'curl' exception.log

1	$ grep -i 'curl' exception.log

Find all:

$ cat exception.log | egrep -i '(xml schema|paygate.*gateway|paypal.*gateway|curl)'

1	$ cat exception.log \| egrep -i '(xml schema\|paygate.gateway\|paypal.gateway\|curl)'

3. Reports

Find the last 10 error report files and grep for any kind of error message.
3.1 MySQL connection issues

$ ls -1t | head -10 | xargs grep -i 'mysql server' -sl

1	$ ls -1t \| head -10 \| xargs grep -i 'mysql server' -sl

3.2 Invalid config field

$ ls -1t | head -10 | xargs grep -i 'invalid config field' -sl

1	$ ls -1t \| head -10 \| xargs grep -i 'invalid config field' -sl

3.3 Unable to read response

$ ls -1t | head -10 | xargs grep -i 'unable to read response' -sl

1	$ ls -1t \| head -10 \| xargs grep -i 'unable to read response' -sl

3.4 External urls redirect

$ ls -1t | head -10 | xargs grep -i 'external urls redirect' -sl

1	$ ls -1t \| head -10 \| xargs grep -i 'external urls redirect' -sl

Find all:

ls -1t | head -10 | xargs  egrep -i '(mysql server|invalid config field|unable to read response|external urls redirect)' -sl

1	ls -1t \| head -10 \| xargs egrep -i '(mysql server\|invalid config field\|unable to read response\|external urls redirect)' -sl

4. Apache error logs

4.1 Find missing files caused by any reason

$ tail -n 1000 /var/log/httpd/{virtualhost}-error_log | grep -i 'file does not exist'

1	$ tail -n 1000 /var/log/httpd/{virtualhost}-error_log \| grep -i 'file does not exist'

Tag: Audit

Find Malware in Image Files

Practical grep command examples for your Magento log file audit

1. System.log

2. Exception.log

3. Reports

4. Apache error logs