Wednesday, August 10, 2016

How to locate Magento credit card leakge

Just got a chance to help locate the leaking issues of a customer who got complaints from customer about credit card leak after made purchase.

and it turns out to be a very smart hacker. here is the steps I try to locate the issue.

I use tcpdump to capture all traffic for a couple hours and do a quick analysis to see whether there are some special.  like sending out credit card using SMTP with the port 25, or just use stand http post, if it https. you can sort the TLS certificate to see any special certificate which represents some evil 3rd party hosts.

Nothing found special for me. most just traffic to this site and some 3rd party API call like shipping rate calculation, Fedex integration.

then do a analysis about the request log to see any url which has huge hit from the same IP.
you can use some handy linux command to do the aggregation.

awk '{print $8$2}' requestlog|sort|uniq -c|sort -r -n|more

nothing special, most hits are from crawlers ip with Google.

feel a little big frustrated now, this must be a smart hacker.  then I watch for file change  within 5 minutes. if they hacker intercept the request and store somewhere, I will definitly find out where did he/she store the file.

go the root directly of the magento, I spect all files change within 5 mintues (I placed a order using a dummy credit card"

 find . -mmin -5 -ls

there we go, one file called db-tab-footer_bg.gif was changed minutes ago. there should not be any chagne for gif files. this turns out to be a complicated image file. since it's all stored with encrypted data ( it must be credit card there),

if I check the access log, not a lot request to this file, only once a week coming from the hacker's IP.

now, time to locate how can they capture the data and dump to this file.
just search all php files containing db-tab-footer_bg.gif.
 it's in the global config file, here is the content. essentially they intercept all post request and encrypt using his/her RSA public key and put to the gif file. nobody can decrypt it.

now time to get ride of the backdoor and do the housekeeping to locate how did they inject the backdoor on the server


8 comments:

Rachel Bilson said...

Crackle, the most entertaining channel is now on Roku to entertain you. If you are new to this channel, use the page crackle.com/activate. Once if you activate the channel, the most interesting program collections are on its way. The categories include full-length movies, TV shows, and documentaries and much more.

marvinericksen said...

Hey, This is me Marvin Ericksen writing from Florida. So how’s life going-on, Feeling Enthusiastic or feeling dull. I felt bored with my life. So here I am and going to write my blogs. Actually I am really interested in reading and writing. But my all-time hobbies are movies and TV Shows and Series.
My blog: cbs.com/roku

hookstefan said...

The understudies are not prepared to give an anticipated proportion of time to their understudies and assignments. This task help online gives 24 hours of openness to understudies.
Sociology assignment help
Public relation assignment writing help

hookstefan said...

Sociology assignment help
Public relation assignment writing help
Our writers are helping them not just for boosting the grades but they are teaching them for real learning. Our subject experts have many years of teaching experience and complete knowledge to write top quality assignments as per student's demands and deadline.

Elegant IT Services said...

I have read your Article...Thanks for sharing the Nice Information...
Best IT and Non-IT Course Training Institute in Bangalore

Kuma Herbals said...

Thanks for sharing such valuable information with us...
Unani Treatment in Bangalore

David Martin said...

Thanks for providing an update regarding "How to locate Magento credit card leakage" with us by the means of sharing this post with us.

office.com/setup

Unknown said...

Thanks for sharing such informative blog. It really helped me a lot to learn new things about SEO. Keep on sharing informative and useful stuffs. Great blog!
seo companies in chennai

best seo company in chennai

 
Locations of visitors to this page