Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Hacked - in site cache - wantsfly [dot] com
 
el1jones
Jr. Member
 
Total Posts:  5
Joined:  2009-02-18
 

So here I am with a brand new site (my 7th made with magento), hosted on a reputable hosting company.  All of 2 days since the install when , WHAM, all of a sudden the whole site is redirected to whatsfly[dot]com.  So, I freak out.  FREAK....
The computers I use have multiple antiviruses running, and run periodic deep scans (had a virus try to steal ft passwords once), so I’m pretty sure it’s not a virus on my end.
So I check through the site, and can NOT find any files that have been changed.

To play it safe, I delete THE ENTIRE SITE.... everything, files database, .htaccess files… it’s a bare account. even change the passwords.

I reload everything from scratch.  The magento, the database, the template (from template monster)… all is working well for a day, and
WHAM… it happens again.

I do a database search, and notice it’s in the cache… I delete the cache files and it’s gone.
Looking in the logs, I see references to “Morfeus F**king Scanner” , which I’m guessing isn’t good.

Does anyone have ANY idea what caused this?
and/or how to protect against it happening again?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
Steven-3
Jr. Member
 
Total Posts:  7
Joined:  2008-07-08
 

It’s not a great solution but you can try adding this to your .htaccess file:

# Start of .htaccess change.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
# End of .htaccess change.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Take a look here for some other info on it:
http://blog.yaay.us/?p=33

It’s a bit old, but might help you understand how its doing its attack (and what steps you should take to stop it)

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I just noticed this in my Who’s Online list:

http://www.wantsfly.comhttp://www.wantsfly.com/prx2.php?hash=54DB3104873BFFAA4E6DAF9800506C877894B3D1E0D3

5 Entries after which I think my Fail2Ban setup booted that IP out. IP was 221.192.199.35 which is in China.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I found nearly a thousand entries related to wantsfly in my Mage logs.

Here’s another thread which seems to indicate they are targeting Magento, or at least insecure systems using Magento.

http://www.magentocommerce.com/boards/viewthread/49336/

I looked everywhere and can\’t find evidence they actually got in our system, just attempts.

Entries like http://proxyjudge1.proxyfire.nethttp://proxyjudge1.proxyfire.net/fastenv seem to be related, I have a few hundred in my logs like that.

I’ll try and come up with a way to auto-ban any attempts related to wantsfly and proxyjudge, but as they don’t seem to getting in, it’s not high on my list.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

I think your best bet to avoid this is turning off global variables (as the .htaccess block above is easily circumvented by the bot using a different or random name).

In your php.ini file make sure:
register_globals = Off

If its set to On, change it and restart apache.

PHP itself believes this is unsafe to have on and has deprecated its use with 5.3:
http://ca.php.net/manual/en/security.globals.php

From what I’ve read, this intrusion cannot work with this value set to Off (and it sounds like having it on opens you to all sorts of other security issues).

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

These and other probes I’ve seen have one thing in common. They show in the Customers Online list (and hence the log_url table) with a URL that isn’t one of the Magento shops. So it shouldn’t be too hard to make a module that recognises all the valid base URLs and then if requested url != in_array($expected_urls) write to a log file which fail2ban monitors.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ashley01
Jr. Member
 
Total Posts:  15
Joined:  2010-05-06
 

Hello friends,
i appreciate this. you do all this stuff at your own or else where with someone’s help?

___________________________

“Want to get-on Google’s first page in 48 hours and flood your site with traffic?
Try Traffic Geyser, the internet’s #1 video marketing software at Traffic Geyser

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top