As is a common occurrence, we were recently hired to re-clean a hacked website that the security company Sucuri, which is owned by GoDaddy, had repeatedly failed to properly clean. This time it was a Magento based ecommerce website we were cleaning. As is standard issue in those situations they had missed malicious code that should have been easy to find. What we also found was that the hacker had been able to add an additional admin account, unfortunately that had occurred prior to the time period logging was still available, so we didn’t have evidence of how that had been done.
In a situation where we haven’t been able to determine how the hacker has gotten access, part of our cleanup process is to recheck things for a couple of weeks to see if the hacker tries to get back in. In this case the admin account returned a couple of days later.
For others dealing with the admin account in this situation had these details:
- User Name: magentoupdate
- Email: email@example.com
- First Name: support
- Last Name: support:
With the logging available from when this occurred we found a log entry where one of the URL parameters was this:
That is SQL code that generates that admin user, which would be exploited through a SQL injection vulnerability. In this case it involved exploiting a SQL injection vulnerability in an extension on the website, which we then patched up.
A Better Alternative to Sucuri
If you have a website that needs to be cleaned up from malware or another type of hack, we provide a better alternative to using Sucuri, where we actually fully and properly clean up the website.