recently someone managed to alter elements of the home page on our site.
They appear to have been able to deploy a debug tool to obtain information about the site.
From the access logs there were this set on entries below.
The ip address is registered to Amazon cloud, but the urls are clearly not anything that alexa/amazon would do during a crawl.
Looks like they accessed the config and then tested all the modules they found installed.
When we discovered the damage, essentially the modules had been switched off
It not clear how this allowed them access as /apps/etc/config.xml is protected in the normal way (htaccess), and trying the url
does not get us any information
Anyone else experienced this and found a way to block it?
The IP address has been reported previously as a spammer/hacker
I’ve not seen this before, but looking at the requests, it would appear that the Magneto Debug Extension has been installed and then run.
If you haven’t installed this during the development process, then I would suggest checking all of the obvious folders where something could have been uploaded, i.e downloader and then checking anywhere a customer could upload a file and making sure that permissions / sanitisation is being carried out.
If you have used the extension, then obviously it needs to be turned off on a live site!