What Do Compromised Websites Look Like?

Sucuri Blog has an interesting blogpost on how a website got compromised and allowed unencrypted Credit Card numbers(only in one specific area and for a few seconds) to be stolen from the Magento Ecommerce platform for a period of time.

 

Magento is an Ecommerce web system.

 

It Looks like Magento also had a Remote Code Execution vulnerability blog post. And requested their users patch software.

 

Back to the original thought… websites get compromised and one would think they have a certain look…

Here is a small snippet that Sucuri Blog was able to dissect:

magento-fromsucuriblog

In this snippet you can see that there is no way to tell how it affects your website…

My point is that you will not know that your website was compromised, unless you test the site periodically to see if it has compromised  code.

In fact the attacker encrypted the code(See the —–BEGIN PUBLIC KEY—-) and has a visvo user agent  to further obfuscate the attack.

Do you see a Visbot/2.0 (+http://www.visvo.vom/en….. <etc etc>)  entry in the image above then you would see that the compromised website is trying to connect to visvo.com

If you try to go to Visvo.com now it will have the following there:

visvoredirect

 

So the bad guys are long gone.  (no surprise)

 

 

The key in this attack is to inject code, steal the important data (credit cards) and then

clean up what happened. The important data is encrypted and obfuscated. The attack is very hard to see or see in action. (please review the Sucuri Blog for the detailed analysis of the Magento attack)

 

And since this is on your DMZ or on a hosted provider, it is unlikely to be protected by IPS systems.  So how to protect your ecommerce website?

Sucuri plugin is available on WordPress so that if any changes occur on your website, you will get emailed. (this is what I have).  There is also Tripwire which has products that do the same for webservers (any computer).

Contact Us for specific analysis on your situation.

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.