Wednesday, August 10, 2016

How to locate Magento credit card leakge

Just got a chance to help locate the leaking issues of a customer who got complaints from customer about credit card leak after made purchase.

and it turns out to be a very smart hacker. here is the steps I try to locate the issue.

I use tcpdump to capture all traffic for a couple hours and do a quick analysis to see whether there are some special.  like sending out credit card using SMTP with the port 25, or just use stand http post, if it https. you can sort the TLS certificate to see any special certificate which represents some evil 3rd party hosts.

Nothing found special for me. most just traffic to this site and some 3rd party API call like shipping rate calculation, Fedex integration.

then do a analysis about the request log to see any url which has huge hit from the same IP.
you can use some handy linux command to do the aggregation.

awk '{print $8$2}' requestlog|sort|uniq -c|sort -r -n|more

nothing special, most hits are from crawlers ip with Google.

feel a little big frustrated now, this must be a smart hacker.  then I watch for file change  within 5 minutes. if they hacker intercept the request and store somewhere, I will definitly find out where did he/she store the file.

go the root directly of the magento, I spect all files change within 5 mintues (I placed a order using a dummy credit card"

 find . -mmin -5 -ls

there we go, one file called db-tab-footer_bg.gif was changed minutes ago. there should not be any chagne for gif files. this turns out to be a complicated image file. since it's all stored with encrypted data ( it must be credit card there),

if I check the access log, not a lot request to this file, only once a week coming from the hacker's IP.

now, time to locate how can they capture the data and dump to this file.
just search all php files containing db-tab-footer_bg.gif.
 it's in the global config file, here is the content. essentially they intercept all post request and encrypt using his/her RSA public key and put to the gif file. nobody can decrypt it.

now time to get ride of the backdoor and do the housekeeping to locate how did they inject the backdoor on the server


11 comments:

Alex williams said...

Do you require HP printer setup for your mac operating system? Is your printer driver not suitable for macOS? Then visit the 123hp.com/setup to get the software and driver for better functioning of your printer. You can also call our expert HP support team for services.

Rachel Bilson said...

Crackle, the most entertaining channel is now on Roku to entertain you. If you are new to this channel, use the page crackle.com/activate. Once if you activate the channel, the most interesting program collections are on its way. The categories include full-length movies, TV shows, and documentaries and much more.

marvinericksen said...

Hey, This is me Marvin Ericksen writing from Florida. So how’s life going-on, Feeling Enthusiastic or feeling dull. I felt boring with my life. So here I am and going to write my blogs. Actually I am really interested towards Reading and writing. But my all time hobbies are movies and TV Shows and Series.
My works:
psvue.com/activateroku

Rachel Bilson said...

It’s always my passion to write creative articles. Have worked on a lot of innovative and interesting topics. Read it and it’s informative. Recommend you to provide your feedback & suggestions to work on more titles. Contact me or reach me if you would like to know more about my profile.
My work:Pureflix on Roku

marvinericksen said...

Hey, This is me Marvin Ericksen writing from Florida. So how’s life going-on, Feeling Enthusiastic or feeling dull. I felt bored with my life. So here I am and going to write my blogs. Actually I am really interested in reading and writing. But my all-time hobbies are movies and TV Shows and Series.
My blog: cbs.com/roku

Be Tvastra | Digital Marketing Company in Chennai said...

Hi this is SaiVijay, I'am from Chennai. I'am a technical writer for a digital marketing company in Chennai for more than five years. And its my own passion to choose this field. I have to write a creative articles, novels, documents. My hobbies are drawing, playing foot ball and playing cricket also. My most favorite one is "Be Tvastra" which one is the most memorable one in my works. I have suggest you to read the articles.
Digital Marketing Company in Chennai
Digital Marketing Agency in Chennai
SEO services in Chennai
SEO company in Chennai
Web Design Company in Chennai
Web Development Company in Chennai
top 10 digital marketing companies in chennai
digital marketing companies in chennai
best digital marketing agency in chennai
digital marketing companies in anna nagar
seo services company in chennai
Best SEO Companies In Chennai
cheap seo in chennai

hookstefan said...

The understudies are not prepared to give an anticipated proportion of time to their understudies and assignments. This task help online gives 24 hours of openness to understudies.
Sociology assignment help
Public relation assignment writing help

hookstefan said...

Sociology assignment help
Public relation assignment writing help
Our writers are helping them not just for boosting the grades but they are teaching them for real learning. Our subject experts have many years of teaching experience and complete knowledge to write top quality assignments as per student's demands and deadline.

Ecare Technologies said...

Thanks for sharing this information with us...
Java Course in Bangalore

Elegant IT Services said...

I have read your Article...Thanks for sharing the Nice Information...
Best IT and Non-IT Course Training Institute in Bangalore

Kuma Herbals said...

Thanks for sharing such valuable information with us...
Unani Treatment in Bangalore

 
Locations of visitors to this page