During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection.
One such backdoor was appended to the Magento core file /errors/503.php:
This sample takes user input from the “ID” URL parameter and builds a reflection function, where the object stored in the $func variable will now reflect whichever function the attacker passed as input.
Continue reading Examining Unique Magento Backdoors at Sucuri Blog.