Es gibt leider ein aktutes(?) Sicherheitsproblem bei Magento. Es scheint darum zu gehen, dass die Paymentdaten direkt aus dem Checkout abgegriffen werden und an eine externe Seite geleitet werden. Aktuell ist aber ziemlich viel unklar und gibt noch wenig Infos dazu.
Sicherheitsleck scheint den Namen „guruincsite infection“ bekommen zu haben.
Wer mehr Infos oder Bezeichnungen des Sicherheitsloch hat bitte gerne teilen(!)
Heise schreibt „Tausende Magento-Shops greifen ihre Kunden an“ leider ist der Artikel rechts nichtssagend und bringt keine Infos
http://www.heise.de/security/meldung/Tausende-Magento-Shops-greifen-ihre-Kunden-an-2850132.html
Deutlich mehr Infos gibt es hier und in den Kommentare
The malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.
https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html
Folgende Kommentar auf heise.de von „Dantoko“ lässt darauf schließen betrifft nur gewisse Shops, die mit Magmi arbeiten betreffen?
„- Die Attacke originiert nicht in Magento sondern wird über externe Datenbefüllung injected. Das Daten via Magmi an Magento übertragen werden ist SINN von Magmi – es befüllt Produktdaten, herrje.“
http://www.heise.de/forum/heise-Security/News-Kommentare/Tausende-Magento-Shops-greifen-ihre-Kunden-an/Irrefuehrend-zu-spaet-ungenau-am-Thema-vorbei/posting-23830150/show/
Wer hat mehr Infos? Wo gibt es vernüftige Infoquelle?
Update Mail von 21.10.2015 von Magento
|
Your site may be at risk. Take action today.
|
|
|
We are investigating reports of Magento sites being targeted by Guruincsite malware (Neutrino exploit kit). We have not identified a new attack vector at this time, but have found that nearly all impacted sites checked so far were vulnerable to a previously identified code execution issue for which we released a patch in early 2015; sites not vulnerable to that issue show other unpatched issues. The malware can also take advantage of situations where an administrative account has been compromised through weak passwords, phishing, or any other unpatched vulnerability that allows for administrative access, so it is important to check for fake user accounts and for leftover demo accounts.
Magento merchants are advised to follow best practices to ensure the security of their sites as well as:
- Check their sites for Guruincsite and other malware and security vulnerabilities that could be used in future attacks at http://magereport.com. This is a very useful Magento community project that is not affiliated with Magento.
- Search for and remove any malicious scripts that have been injected into your pages. You can then submit an unblock request to Google using Google Webmaster. Instructions from Magereport on finding and fixing these scripts can be found here.
- Please review all admin users in your system, including accounts with the username “admin” that could be left over from sample data installations. Remove any accounts that you are not actively using.
- Implement all available patches ASAP to close any exploitable vulnerability. Please visit the Magento Security Center for a list of patches.
More information as available will be posted at https://magento.com/security.
Best regards,
The Magento Team |
|
