How to recover a hacked Magento shop

in Security Tags: MagentoMagereportSecurity

Unfortunately websites get hacked. Most of the times because of an outdated CMS version or buggy plugins and/or extensions. Regularly check your shop with Magereport.com to make sure your Magento shop’s security is up and running. Magereport will tell you if there are any security issues with your shop and if so, how to fix them. This article explains you how to recover a hacked Magento shop.

Is my shop hacked?

Magereport checks for backdoors and encrypted files that should not be encrypted, for example:

  • /skin/error.php (not an official Magento file)
  • README_FOR_DECRYPT.txt (blackmail instructions)

What to do when your shop is hacked

This is a good priority list:

  1. Collect and protect evidence.
  2. Analyse how the intruder got in
  3. Secure the entrance
  4. Throw the hacker out

 

1. Collect evidence

This needs to be done asap, as the intruder might eliminate traces if he finds out you are on to him.

Make sure to make a copy of all the relevant logs (notably, http access & errors logs, and if you are the server administrator, also: syslog, auth.log, kern.log).

Also make a copy of Magento’s log files (var/log/*).

2. Analyse root cause

If your shop is not fully patched (check your shop with MageReport), it is 99% likely that the intruder got in through an old security flaw.

If you are fully patched, the intruder could get in through buggy or outdated 3rd party extensions, an insecure server, or a yet unknown flaw in Magento. First you should notify your hosting company. If they can rule out that the server got compromised, you should escalate to 3rd party vendors or Magento itself.

3. Secure the entrance

Fixing a site has no use if the intruder can just as easily get in afterwards. Determine what you should change in order to prevent repeated abuse. In most cases this will be:

  • install all the relevant patches (most important: 5344 and 6788)
  • remove strange, old or unused admin accounts

4. Throw the hacker out

Your code and database should be thoroughly clean. An intruder most likely has left one or more backdoors. These could be separate files (/skin/error.php) or mixed in with regular Magento code (Mage.php or include/config.php) The only trustworthy way to accomplish this, is to remove everything and recover from a (known clean) backup or git checkout.

Establish which files were changed and go back to the latest clean version. For example, do a git diff origin/<old-release>. Do not trust a git checkout on the server, as that could have been compromised as well.

If you do not have a backup or version control, success is not guaranteed. But you could try to find suspicious and/or recently modified files. And you could compare with a new Magento installation to see if core files have been modified.

  • Find files modified in the last 10 days: find /docroot -type f -mtime -10
  • Find files that contain suspicious php code: grep -r --include='*.php' 'eval(' /docroot | grep base64
  • Compare with a clean installation

Verify that you have installed all the relevant Magento patches and the latest versions of 3rd party extensions.

History of major incidents

Oct 2015: GuruInc JS hijack

Hackers inserted malicious Javascript code in Magento headers, which lead visitors to install malicious code in their browsers. Read more about this specific incident.

Nov 2015: RansomWare outbreak

Multiple Magento sites were reported where hackers installed ransomware. Legitimate Magento files got encrypted, thereby disabling the site. Site owners were blackmailed and asked to pay in Bitcoin to get the encryption removed. More info:

Nov 2015: Credit card Hijack

Credit card Hijack is malicious code injected in Magento that allows hackers to intercept credit card credentials. More info:

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

0