Magento - hack attempt - Security - eCommerce Software for Growth

Log In

Username or Email

Password:

Forgot Password

or
Register

Skip to site navigation »
Skip to main content »
Skip to footer content »

Magento Forum

hack attempt

eCommWeb Total Posts: 2 Joined: 2010-06-16 Ignore user	recently someone managed to alter elements of the home page on our site. They appear to have been able to deploy a debug tool to obtain information about the site. From the access logs there were this set on entries below. The ip address is registered to Amazon cloud, but the urls are clearly not anything that alexa/amazon would do during a crawl. Looks like they accessed the config and then tested all the modules they found installed. When we discovered the damage, essentially the modules had been switched off It not clear how this allowed them access as /apps/etc/config.xml is protected in the normal way (htaccess), and trying the url index.php/debug/index/downloadConfig/ does not get us any information Anyone else experienced this and found a way to block it? The IP address has been reported previously as a spammer/hacker 204.236.226.210 - - [04/Feb/2012:06:29:01 +0000] “GET /pstr/index.php/debug/index/clearCache/ HTTP/1.0” 302 - “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:06 +0000] “GET /pstr/index.php/debug/index/downloadConfig/ HTTP/1.0” 200 604837 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:11 +0000] “GET /pstr/index.php/debug/index/searchConfig/ HTTP/1.0” 200 - “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:17 +0000] “GET /pstr/index.php/debug/index/searchGroupedClass/ HTTP/1.0” 200 - “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:22 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=AW_Advancedmenu HTTP/1.0” 200 370 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:27 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=AW_All HTTP/1.0” 200 987 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:32 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=AW_Blog HTTP/1.0” 200 1001 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:37 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=CapacityWebSolutions_ImportProduct HTTP/1.0” 200 1179 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:42 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Ebizmarts_SagePayReporting HTTP/1.0” 200 1347 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:47 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Ebizmarts_SagePaySuite HTTP/1.0” 200 1085 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:52 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=FME_Manufacturers HTTP/1.0” 200 372 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:29:57 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Find_Feed HTTP/1.0” 200 364 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:02 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Magazento_Easytopsell HTTP/1.0” 200 1085 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:07 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Mage_Admin HTTP/1.0” 200 488 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:12 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Mage_AdminNotification HTTP/1.0” 200 512 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:17 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Mage_Adminhtml HTTP/1.0” 200 496 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:22 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Mage_Api HTTP/1.0” 200 363 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” 204.236.226.210 - - [04/Feb/2012:06:30:27 +0000] “GET /pstr/index.php/debug/index/toggleModuleStatus/?module=Mage_Authorizenet HTTP/1.0” 200 372 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)” Signature Gary DF Milne http://www.eCommWeb.co.uk eCommerce that works!
	Posted: February 6 2012 \| top

edmondscommerce Total Posts: 342 Joined: 2008-08-26 Ignore user	I’ve not seen this before, but looking at the requests, it would appear that the Magneto Debug Extension has been installed and then run. If you haven’t installed this during the development process, then I would suggest checking all of the obvious folders where something could have been uploaded, i.e downloader and then checking anywhere a customer could upload a file and making sure that permissions / sanitisation is being carried out. If you have used the extension, then obviously it needs to be turned off on a live site! Signature Edmonds Commerce +44 (0)1274 590036 Expert UK Based Magento and Magento Enterprise Web Development
	Posted: February 6 2012 \| top \| # 1

Magento Community

Magento Community

Back to top

MagneticOne uses your email address for spam

Users seeing other peoples details