Among the six installations I have access to there's one that was apparently compromised by Shoplift. This is the only one that has a standard /admin backend url.
After patching all of them and reading many resources I guess that a site isn't vulnerable to Shoplift if the attacker doesn't know the admin URL – which corresponds just fine to the observation.
Still not fully convinced – especially after reading the full story by CheckPoint -, though, so: is it?
The – at least at first sight – uncompromised sites are on shared hosting without shell access so any deeper investigation will be pretty expensive. Hence knowing that the attack has no impact without knowledge of the admin URL would be a huge life(/time) saver.
PS: $this->question is ! about (security by obscurity || the possibility of brute forcing the admin URL).
Best Answer
The shoplifter tester was written before I discovered that there is a relatively easy way to fetch the admin name.
However, I haven't seen any indications of black hats actively scanning for non-standard admin names so far, based on the logs of several thousand Magento shops. So if you patch now, I wouldn't bother with extensive forensics (apart from checking for rogue users).
Clearly, this advice expires once Magento publishes a fix for the admin leak and the knowledge how to use it becomes widespread.