How to recover a hacked Magento shop

in Security Tags: MagentoMagereportSecurity

Unfortunately webshops get hacked. Most of the times because of an outdated CMS version or buggy plugin(s) and/or extension(s). Regularly check your shop with Magereport.com to make sure your Magento
shop’s security is up-to-date. Magereport will tell you if there are any known security issues with your shop and if so, how to fix them.

This article explains you how to recover a hacked Magento shop.

Is my shop hacked?

In many cases, Magereport.com would tell you if your shop has been hacked! Magereport checks for known backdoors and encrypted files that should not be encrypted.

For example: /skin/error.php (not an official Magento core file) or README_FOR_DECRYPT.txt (ransomware payment instructions) and so on.

On Hypernode we also provide the Magento Malware scanner, based on Yara with an extra set of signatures to detect magento directed malware. Every night a audit on new or changed files will be performed and when the scanner hits a possible infected file, it will notify Byte’s abuse department. We will check if it is a false-positive and if not; they will sent you a warning message by e-mail.

What to do when your shop is hacked

This is a good priority list to start cleaning up your shop:

Collect evidence

To find out what happened and how, it’s extremely important to collect evidence. We do this, among other things, by collecting the logs in /var/log and in the Magento content directory.

This needs to be done asap, as the intruder might eliminate traces if he finds out you are on to him. Make sure to make a copy of all the relevant logs (notably, system logging located in /var/log/syslog and /var/log/auth.log, nginx access and errors logging located in /var/log/nginx/. Also make a copy of Magento’s log files (var/log/*).

Analyse root cause

It is 99% likely that the intruder got in through an old security flaw or weak user/password combination. Check if your shop is fully patched using Magereport.com.

If you are fully patched, the intruder could get in through buggy or outdated 3rd party extensions or a yet unknown flaw in Magento.
Try to find the method the hackers used to break into your Magento shop. Use this tutorial about breach analysis on Magento.

Tips to find and fix the issue.

Fixing a site has no use if the intruder can just as easily get back in afterwards. Determine what you should change in order to prevent repeated abuse.

In most cases this will be:

  • Remove strange, old or unused admin accounts.
  • Change all passwords for admin accounts to strong passwords (and activate 2-factor authentication using Authy or Google Authenticator) for stronger security.
  • Install all the relevant patches.
  • Upgrade your Magento to the latest version.
  • Configure brute forse protection.
  • Run a scan using the Magento Malwarescanner with this commando to find any backdoors and if there are, move them to a non reachable directory (like /data/web/hacked/)for later analyses (and finaly remove them):
    mwscan -s byte /data/web/

If the scanner find anything, it will be logged into the file /var/log/mwscan.log.

  • Find files modified in the last 10 days:
    find /data/web/ -type f -mtime -10
    
  • Find files that contain suspicious php code:
    grep -RE 'preg_replace\(|eval\(|base64_decode\(' --include='*.php' .  | cut -d: -f 1 | sort -u | while read line ; do  echo $line | cat - $line | less ; done
    
  • Scan and analyse your files using Neopi:
    neopi -aA . | awk {' print $2 '} | grep "\./" | sort | uniq -c | sort -nr | awk {' print $2 '} | while read line; do (echo $line;echo;cat $line)|less; done
    

    Alternatively you can use these scripts that do the same thing as the commands mentioned above.

  • A hack trough FTP or Mysql isn’t very likely, as both the ports for mysql and FTP are firewalled and only available for whitelisted IP-addresses. We do recommend to collect and secure your FTP and MySQL logs and to dump the database for analysis too.

  • Check your whitelistings and remove old IP-addresses which needed any access anymore trough the Byte Service Panel https://service.byte.nl.

  • If you are using SSH with the password of your Byte account, change your password in the Service Panel https://service.byte.nl. You could disable password authentication and only accept SSH key’s for a better security.

Throw the hacker out

An intruder most likely has left one or more backdoors. These could be separate files (/skin/error.php) or mixed in with regular Magento code (Mage.php or include/config.php)

To avoid recurring hacking incidents, your code and database should be thoroughly clean. The only trustworthy way to accomplish this, is to remove everything and recover from a (known clean) backup or git checkout. Establish which files were changed and go back to the latest clean version. For example, do a git diff origin/<old-release>. Do not trust any git checkout on the server, as that could have been compromised as well.

If you do not have a backup or version control, success is not guaranteed. But you could try to find
suspicious and/or recently modified files. And you could compare with a new Magento installation to see if
core files have been modified. If you need a historical back-up, (available on Hypernode Go big and Excellence plans), sent an e-mail to support@hypernode.com. Ask the file/database backup from the day before the day you think the hack has been done.

History of major incidents

Oct 2015: GuruInc JS hijack

Hackers inserted malicious Javascript code in Magento headers, which lead visitors to install malicious code in their browsers. [Read more about this specific incident](/knowledgebase/how-to-fix-guruinc-infection/.

Nov 2015: RansomWare outbreak

Multiple Magento sites were reported where hackers installed ransomware. Legitimate Magento files got encrypted, thereby disabling the site. Site owners were blackmailed and asked to pay in Bitcoin to get the encryption removed.

More info:

Nov 2015: Credit card Hijack

Credit card Hijack is malicious code injected in Magento that allows hackers to intercept credit card
credentials.

More info:

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

0