I found something a little unusual recently, a known WSO shell stored within Umart Online’s public asset infrastructure, which appears to have been present since at least 2019.
Let me start by walking through how I even found this, it all started with a simple late night question.
What CMS does Umart Online use?
I’d thought about this on a few occasions, their website looks somewhat modern, loads quickly, and has a fair few features you don’t see on other sites.
If you’ve ever browsed the modern version of MSY you’d also notice that their website looks the exact same, just in a different colour scheme, indicating it’s probably using the same CMS.
I started simple and tried WhatCMS and CMS Detect, the results were… not helpful.
The same result came up for MSY’s website as well, so I kept looking.
There are no hints of WordPress, WooCommerce, Magento, Shopify, or anything else I’ve seen before, so I started looking at some different products, and then I noticed the URL’s.
https://www.umart.com.au/product/apple-airpods-pro-3-wireless-earphones-mfhp4x-a-90523
https://www.msy.com.au/product/apple-airpods-pro-3-wireless-earphones-mfhp4x-a-90523
Both these stores had the exact same product listed, using the same product URL, but just served under a different domain.
At this point it became clear that MSY wasn’t running a separate platform. It looked like both brands were operating from the same infrastructure, perhaps even the same exact web server.
This became particularly clear with image files, where the Umart favicon was appearing on the MSY assets page.
The Public Asset Bucket
As I started looking into their web server, the real discovery came when I learned about the publicly listable AWS S3 bucket, which they use to serve all content from assets.umart.com.au.
Going directly to this website immediately returns object listings.
Although, as you might notice, the data is truncated, and it can only display 1000 keys at once.
However, you can easily query additional pages to see more keys, one quick script later, and I had a .txt file with all 2 million of them.
It was here that I started to make some real progress.
The ECShop Theory.
One of the earliest clues was the presence of files such as:
admin/images/ecshop_logo.png
admin/images/ecshop_logo.gifECShop is an old PHP ecommerce platform that was popular in China. Interestingly, if you go to these keys directly, you even see ECShop assets served from Umart’s domain.
Finding these assets doesn’t prove the site is still running ECShop, but it does suggest the platform may have started life there, which in itself is fascinating considering that Umart themselves made this statement about the original site (0:56).
My working theory at this point is:
ECShop (or related platform)
↓
Years of modifications
↓
Custom retailer platform
↓
Shared Umart/MSY ecommerce systemUmart’s Other Brands
Another thing that the bucket revealed was all these theme directories.
themes/umart2018/
themes/msy/
themes/pcbyte/
themes/umartpc/
themes/biz1/
themes/mspec1/And who would have guessed, PCByte’s store is also using the same website layout, just in another colour.
I wasn’t able to find anything on the other platforms, but apparently Mspec used to be the name for MSY’s prebuilts.
Oh… Database Credentials
Also inside the bucket were some PHTML files, such as:
INIT.phtml
picture.phtml
picture1.phtmlOne of them actually ended up exposing credentials for the database “umdb”, which was an unexpected find.
The funny
I also came across another file and had a bit of a laugh at this function name, although sadly it’s written by the authors of the Dynarch JSCalendar library, not Umart’s developers.
I didn’t end up finding many notes written by Umart’s devs, and the few I did find were sadly not that interesting.
What I did learn though, is that staff heavily rely on the website internally at Umart stores, according to previous employees.
I would kill to see what kind of chaos is hiding behind the Umart website, because people make it sound like the backend looks something like this:
+-------------------------------------------------------+
| Umart Store Admin |
| Logged in as: admin |
+-------------------------------------------------------+
Orders Today: 847
Pending Orders: 63
Products: 84,392
--------------------------------------------------------
[ Orders ] [ Products ] [ Stock ] [ Pricing ] [Suppliers]
[ Freight ] [ Reports ] [ CMS ] [ Marketing ] [ System ]
---------------------------------------------------------The PHP Backdoor
I was scrolling through the S3 bucket again, and came across some .doc files, okay I wonder what they’re doing here?
As I downloaded one, Windows defender flagged it immediately.
Alright, let’s check the contents, maybe defender is wrong….
After de-obfuscating the code with UnPHP, I verified that this is indeed a WSO 2.5 web shell, a very common backdoor tool.
This type of tool is commonly linked with post-compromise activity and includes functionality that can be used to further exploit a web server, including:
- File manager
- Command execution
- Database access
- Upload functionality
- PHP execution
I want to be very clear here:
This file is being served from Umart’s S3 bucket and does not appear to be running as an executable script on their web server.
In its current state, its presence alone does not indicate a past or current compromise of Umart’s infrastructure.
What it does indicate is that either a malicious actor (for example, somebody who had previously compromised a Umart Online server) or a legitimate person (such as a developer, system administrator, or security researcher) uploaded the file at some point and never removed it.
If we look at the date on the file, we can see that it hasn’t been modified since 2019, which is the same as all the other .doc files.
All these .docs appear to have been uploaded at the same time, along with 200,000 other unrelated files. One possibility is that an entire directory structure was migrated into S3 in late 2019, bringing the web shell along with it.
To me, it feels like either a penetration testing or security research artefact that was never cleaned up, or, in the worst case, a remnant of a historical compromise that was accidentally carried forward during a later migration.
Still, I opted to let Mr Mark know about the credentials and the web shell. Since Umart does not have a security.txt file or any kind of public vulnerability disclosure process, I sent him an email outlining my findings.
That was on 28/05/26.
As of writing this post, I have not received a response from Umart, if they do respond I’ll update this post accordingly.
So What CMS Is It?
My conclusion is that it probably isn’t a CMS anymore, at least not in the traditional sense.
The evidence points toward a heavily customised ecommerce platform that may have originally been based on ECShop or a similar PHP application.
This is the sort of platform that would have cost hundreds of thousands of dollars to build up to the point it’s at today, and it screams years of incremental development, acquisitions, migrations, and customisation.
I even found a collection of Adobe Flash files still sitting in the asset bucket, containing animations for products that have likely been out of stock for over a decade.
It’s interesting really, to think that this modern-feeling site started out as something so simple back in 2005.
Final Thoughts
What started as a simple question ended up becoming a lesson in how much history can accumulate inside a long-running platform, and some of the things I found along the way were genuinely interesting.
And while I didn’t conclusively prove that Umart started as ECShop (or that it was compromised), I found enough evidence to paint a fascinating picture of how the platform evolved into what it is today.
The internet is full of these hidden layers. Most people only ever see the finished product, but occasionally you get a glimpse behind the curtain and discover that beneath the polished frontend is twenty years of technical history held together by a surprising amount of duct tape.
Hope you enjoyed!
Leave a Reply