How can we help you today?

How to Recover a Hacked Magento Shop

Created by: Sophie van Vrijberghe de Coningh

Modified on: Thu, 18 Jun, 2020 at 9:34 AM

Unfortunately webshops get hacked. Most of the times because of an outdated CMS version or buggy plugin(s) and/or extension(s). Regularly check your shop with to make sure your Magento shop’s security is up-to-date. Magereport will tell you if there are any known security issues with your shop and if so, how to fix them. This article explains how to recover a hacked Magento shop.


Is My Shop Hacked?

In many cases, would tell you if your shop has been hacked! Magereport checks for known backdoors and encrypted files that should not be encrypted.

For example: /skin/error.php (not an official Magento core file) or .README_FOR_DECRYPT.txt (ransomware payment instructions) and so on.

On Hypernode we also provide a Malware scanner, based on Yara with an extra set of signatures to detect magento directed malware. Every night a audit on new or changed files will be performed and when the scanner hits a possible infected file, it will notify Hypernode's abuse department. We will check if it is a false-positive and if not; they will sent you a warning message by email.

What to Do When Your Shop Is Hacked

This is a good priority list to start cleaning up your shop:

Collect Evidence

To find out what happened and how, it’s extremely important to collect evidence. We do this, among other things, by collecting the logs in /var/log and in the Magento content directory.

This needs to be done asap, as the intruder might eliminate traces if he finds out you are on to him. Make sure to make a copy of all the relevant logs (notably, system logging located in /var/log/syslog and /var/log/auth.log, Nginx access and errors logging located in /var/log/nginx/. Also make a copy of Magento’s log files (var/log/*).

Analyse Root Cause

It is 99% likely that the intruder got in through an old security flaw or weak user/password combination. Check if your shop is fully patched using

If you are fully patched, the intruder could get in through buggy or outdated 3rd party extensions or a yet unknown flaw in Magento.
Try to find the method the hackers used to break into your Magento shop. Use this tutorial about breach analysis on Magento.

Tips to Find and Fix the Issue

Fixing a site has no use if the intruder can just as easily get back in afterwards. Determine what you should change in order to prevent repeated abuse.

In most cases this will be:

  • Remove strange, old or unused admin accounts.
  • Change all passwords for admin accounts to strong passwords (and activate 2-factor authentication using Authy or Google Authenticator) for stronger security.
  • Install all the relevant patches.
  • Upgrade your Magento to the latest version.
  • Configure brute forse protection.
  • Run a scan using the Magento Malware scanner with this commando to find any backdoors and if there are, move them to a non reachable directory (like /data/web/hacked/)for later analyses (and finally remove them):
    mwscan -s byte /data/web/

If the scanner find anything, it will be logged into the file /var/log/mwscan.log.

  • Find files modified in the last 10 days:
find /data/web/ -type f -mtime -10
  • Find files that contain suspicious php code:
grep -RE 'preg_replace\(|eval\(|base64_decode\(' --include='*.php' .  | cut -d: -f 1 | sort -u | while read line ; do  echo $line | cat - $line | less ; done
  • Scan and analyse your files using Neopi:
neopi -aA . | awk {' print $2 '} | grep "\./" | sort | uniq -c | sort -nr | awk {' print $2 '} | while read line; do (echo $line;echo;cat $line)|less; done

Alternatively you can use these scripts that do the same thing as the commands mentioned above.

  • A hack through FTP or MySQL isn’t very likely, as both the ports for MySQL and FTP are firewalled and only available for whitelisted IP-addresses. We do recommend to collect and secure your FTP and MySQL logs and to dump the database for analysis too.

  • Check your whitelistings and remove old IP-addresses which do not need any access anymore through (for Dutch customers) the Byte Service Panel or (for all customers) the hypernode-systemctl CLI tool.

  • For Dutch customers only: if you are using SSH with the password of your Byte account, change your password in the Service Panel. You could disable password authentication and only accept SSH key’s for a better security.

Throw the Hacker Out

An intruder most likely has left one or more backdoors. These could be separate files (/skin/error.php) or mixed in with regular Magento code (Mage.php or include/config.php)

To avoid recurring hacking incidents, your code and database should be thoroughly clean. The only trustworthy way to accomplish this, is to remove everything and recover from a (known clean) backup or git checkout. Establish which files were changed and go back to the latest clean version. For example, do a git diff origin/<old-release>. Do not trust any git checkout on the server, as that could have been compromised as well.

If you do not have a backup or version control, success is not guaranteed. But you could try to find
suspicious and/or recently modified files. And you could compare with a new Magento installation to see if core files have been modified. If you need a historical back-up, (available on Hypernode Professional and Excellence plans), sent an email to Ask the file/database backup from the day before the day you think the hack has been done.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

Sophie is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.