After dealing with a few such cases, we realized there seemed to be a pattern/common traits among the compromised stores. The two common patterns found
- Pro order module installed
- Journal theme
The hackers are exploiting the older versions of the PreOrder extension that had no validation implemented for the public function GetPreorderedProduct($product_id). This caused SQLi issues for the sites.
More details right here: https://www.getastra.com/blog/911/plugi ... ase-hacked (included the email hackers send)
On further inspection, turns out an older version of the Pre order module was the culprit. Version we've seen surface a couple of times was 2.9.3. We tried to check if the vulnerability exists in the latest version, thankfully it doesn't
- Update the PreOrder module by iSenselabs to the latest version. It's always good to use the latest versions regardless
- Update Journal to the latest version.
- For Astra Security users, SQLi is prevented by default. Always good to use a firewall