Question

Cannot find anything in the internet about that.

Here is whats comming in:

'REQUEST_METHOD' => 'POST',
'REQUEST_URI' => '/shell/log.php?region=%31&kunyuk=%31&MageShell=%31&xcv=%31&p2=%31&koplak=%31&kehed=%31&getHostUrl=%31&uber=%31&sohai=%31&id=%31&derr=%31&hack=%31&zx=%31&abs=%31&tc=%31&file=%31&config=%31&Mage=%31&f=%31%2e%64%6f%63&install=%31&duar=%31&anjing=%31&get=%31&a=%31&ix=%31&damn=%31&c4=%31&gohack=%31&up=%31&w=%31&system=%31&upl=%31&c2=%31&c0=%31&go=%31',
'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134',

Causing a Warning:

Warning: Invalid argument supplied for foreach() in ...src/shell/abstract.php on line 144

Through PHP the query params become to

array(
    'region'     => '1',
    'kunyuk'     => '1',
    'MageShell'  => '1',
    'xcv'        => '1',
    'p2'         => '1',
    'koplak'     => '1',
    'kehed'      => '1',
    'getHostUrl' => '1',
    'uber'       => '1',
    'sohai'      => '1',
    'id'         => '1',
    'derr'       => '1',
    'hack'       => '1',
    'zx'         => '1',
    'abs'        => '1',
    'tc'         => '1',
    'file'       => '1',
    'config'     => '1',
    'Mage'       => '1',
    'f'          => '1.doc',
    'install'    => '1',
    'duar'       => '1',
    'anjing'     => '1',
    'get'        => '1',
    'a'          => '1',
    'ix'         => '1',
    'damn'       => '1',
    'c4'         => '1',
    'gohack'     => '1',
    'up'         => '1',
    'w'          => '1',
    'system'     => '1',
    'upl'        => '1',
    'c2'         => '1',
    'c0'         => '1',
    'go'         => '1',
)

What are "they" trying?

I looked into Magento (1.9) and found the log.php which is using the abstract.php.

Mage added a check:

protected function _validate()
{
    if (isset($_SERVER['REQUEST_METHOD'])) {
        die('This script cannot be run from Browser. This is the shell script.');
    }
}

So actually no execution.

But im sure some extensions bring some scripts that just override this method - like mirasvit did in \Mirasvit_Shell_Asyncindex::_validate:

protected function _validate()
{
}

Great - NOT.

No comment, no code. Nothing. Why?

Was it helpful?

Solution

They're probing for a backdoor in shell/log.php. Yours isn't compromised if your log.php matches what Magento 1's should be, but if it was compromised, that payload would presumably indicate to the scanner that your site is in fact vulnerable.

The parameters are all possible request keys that backdoors in log.php might look for. This is the shotgun or 'throw noodles against the wall and see what sticks' approach. If the script did output something other than the error message, they would know it's compromised and they can attack it further and use that to infect your site.

Either way, you should protect your entire shell directory by creating shell/.htaccess like so:

Order deny,allow
Deny from all

As found in https://github.com/OpenMage/magento-mirror/tree/magento-1.9/shell. This is included out of box in recent Magento versions, but older ones may not have it. There's no reason for anything in the shell directory to be publicly web accessible.

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top