How to recover a hacked Magento shop
Table of contents
- 1 Is my shop hacked?
- 2 What to do when your shop is hacked
- 3 History of major incidents
- 4 Need help?
Is my shop hacked?
Magereport checks for backdoors and encrypted files that should not be encrypted, for example:
- /skin/error.php (not an official Magento file)
- README_FOR_DECRYPT.txt (blackmail instructions)
What to do when your shop is hacked
This is a good priority list:
- Collect and protect evidence.
- Analyse how the intruder got in
- Secure the entrance
- Throw the hacker out
1. Collect evidence
This needs to be done asap, as the intruder might eliminate traces if he finds out you are on to him.
Make sure to make a copy of all the relevant logs (notably, http access & errors logs, and if you are the server administrator, also: syslog, auth.log, kern.log).
Also make a copy of Magento’s log files (var/log/*).
2. Analyse root cause
If your shop is not fully patched (check your shop with MageReport), it is 99% likely that the intruder got in through an old security flaw.
If you are fully patched, the intruder could get in through buggy or outdated 3rd party extensions, an insecure server, or a yet unknown flaw in Magento. First you should notify your hosting company. If they can rule out that the server got compromised, you should escalate to 3rd party vendors or Magento itself.
3. Secure the entrance
Fixing a site has no use if the intruder can just as easily get in afterwards. Determine what you should change in order to prevent repeated abuse. In most cases this will be:
- install all the relevant patches (most important: 5344 and 6788)
- remove strange, old or unused admin accounts
4. Throw the hacker out
Your code and database should be thoroughly clean. An intruder most likely has left one or more backdoors. These could be separate files (/skin/error.php) or mixed in with regular Magento code (Mage.php or include/config.php) The only trustworthy way to accomplish this, is to remove everything and recover from a (known clean) backup or git checkout.
Establish which files were changed and go back to the latest clean version. For example, do a git diff origin/<old-release>. Do not trust a git checkout on the server, as that could have been compromised as well.
If you do not have a backup or version control, success is not guaranteed. But you could try to find suspicious and/or recently modified files. And you could compare with a new Magento installation to see if core files have been modified.
- Find files modified in the last 10 days:
find /docroot -type f -mtime -10
- Find files that contain suspicious php code:
grep -r --include='*.php' 'eval(' /docroot | grep base64
- Compare with a clean installation
Verify that you have installed all the relevant Magento patches and the latest versions of 3rd party extensions.
History of major incidents
Oct 2015: GuruInc JS hijack
Nov 2015: RansomWare outbreak
Multiple Magento sites were reported where hackers installed ransomware. Legitimate Magento files got encrypted, thereby disabling the site. Site owners were blackmailed and asked to pay in Bitcoin to get the encryption removed. More info:
Nov 2015: Credit card Hijack
Credit card Hijack is malicious code injected in Magento that allows hackers to intercept credit card credentials. More info:
Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.