Site icon Astra Security Blog

The Top 3 Most Common OpenCart & Magento Malware Infections

Shikhil Sharma
OpenCart Magento Malware Infections

Last week was quite a busy one for our team. We tackled a number of website hack cases. A number of instances were of malware infections, websites getting blacklisted by Google and even getting defaced by hackers. Statistically, majority of these cases were from OpenCart followed by Magento. The top three OpenCart & Magento malware infections/attack vectors found were:

  1. The Usual Base64 Encoded: This is the most common type of OpenCart & Magento malware infections. In this type of infection, hackers encode the malware code multiple times so that it is not understandable by the store owner. Further, to deceive the store owner/IT team the file containing malware is given names such as payments.php, shipping.php or something that the website owner thinks to be a legit file which is a part of the OpenCart/Magento file system. This type of malware usually changes the payment gateway keys trying to re-direct payments from customers to their(hacker) owned payment systems.

An Example of Base64 Encoded Malware
  • The Database Infection: Often automated hacking scripts look for vulnerabilities in websites which allow them to infect database of the website. If such a loophole is found, malicious scripts are injected into the website database. Usually, the purpose of this type of malware is to put links of websites run by hackers into the product description/category description of an e-commerce store. This technique is used to perform SEO spam and adware injection. Something similar was seen in WordPress this year where a lot of WordPress websites were a subject to an SEO spam due to a critical vulnerability.

    • Malicious Javascript Being Injected in Database in the ‘Product Description’ column of the website
  • The Deadly Backdoor: This is one of the most critical OpenCart & Magento Malware Infection. We encountered multiple cases of this one last week. This malware is a backdoor which automatically adds an admin user to the system with username & password being ‘root’ (or anything else which hacker has specified).

    • Last week, a customer who’s store was infected by malware decided to use our malware cleanup services. In order to limit the exposure of website to malware, we deployed Astra before starting the malware cleanup process. While the cleanup was still on, Astra detected the following login from Russia:

    This meant that someone logged into the system from Russia, using the username & password as ‘root’. While, our client was from Europe not Russia. Our team was quick to find the cause of this. There was a script which was running periodically and adding an additional admin user to the website. After this user was added, a hacker was logging into the website and changing the payment information.

    OpenCart & Magento Malware Infections seem to be on a rise. Hackers often target small and medium sized business because of the limited/no security solutions these type of businesses use. It is a good practice to use a security solution for your website and not wait to get hacked. You can always give Astra a spin here.

    Exit mobile version