Hackers Compromise FishPig Servers, Add Backdoor

After compromising the server infrastructure of FishPig, the maker of Magento-WordPress integration software that has been downloaded more than 200,000 times, cybercriminals managed to implant malware on servers belonging to an unknown number of online retailers.

Sansec, the security company that first identified the breach, Discovered attacker injected malware FishPig Magento Security Suite and several other FishPig extensions for Magento 2 can use the product to access websites.

The injected malware is later remote access trojan (RAT) – called “Rekoobe” – hides on the server as a background process.

Discovered in June, Rekoobe masquerades as a secure SMTP server. When booted from memory, it loads configuration, removes all malicious files, and obtains the names of system services to avoid detection.

The Linux rootkit Syslogk has been seen to drop this Trojan in the past. Rekoobe can be triggered by hidden commands related to processing startTLS commands sent by online attackers.

When Rekoobe is activated, it provides a reverse shell that allows the attacker to remotely direct the compromised server.

Sansec said the FishPig infestation began before August 19th. She added that online stores using the FishPig software may have her Rekoobe installed on their servers, giving the hackers admin access.

“All paid Fishpig extensions may have been compromised. Free extensions hosted on Github appear to be unaffected,” Sansec said.

FishPig is a UK based Magento-WordPress integration developer. 200,000 websites use e-commerce platforms.

Magento is a popular open source e-commerce platform used to create online marketplaces.

FishPig said Tuesday that hackers used their access to inject malicious PHP code into the Helper/License.php file.

“This file is included in most FishPig extensions, so it’s best to assume that all paid FishPig Magento 2 modules are infected.” the company said.

We have since removed the malicious code and taken steps to prevent this from happening again.

FishPig encourages all customers to update all FishPig modules or reinstall the current version from source, regardless of whether they are using extensions known to be affected. Recommended.

Additionally, the company has made available a tool for users to test the infection of FishPig files.

If you think malware has infected your site and you need help fixing it, FishPig offers a free cleanup service today.