Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Is my site still hacked and can you identify the type of hack ? 
 
mathman
Jr. Member
 
Total Posts:  5
Joined:  2011-10-30
 

Hi, before 4 days , i noticed in google analytics that my magento eshop was getting 10x times the traffic usually gets each day. Then i also noticed that the traffic was all coming from Italy and all were bounces. I ftp into my main folder and found 3 unknown .zip files which i deleted. But the unwanted traffic still keeps coming. The referal adresses are multiple adresses like (actual ones)-->
posta1a.mailbeta.libero.it / referral
posta30a.mailbeta.libero.it / referral
.  posta35a.mailbeta.libero.it / referral
posta36a.mailbeta.libero.it / referral
posta36b.mailbeta.libero.it / referral
posta37a.mailbeta.libero.it / referral ....................
wm3.email.it / referral
wm7.email.it / referral .........

I checked my site with antivirus and changed passwords.
Anyone could give me any help on 1) How to be sure that my site is clean now 2)What type of hack was that ? (spam etc ...)
and the most importat ------> 3) why i am getting all the unwanted traffic , is it an aftereffect ?
Thank You
(Ps i am using tha latest Magento Community Edition)

 
Magento Community Magento Community
Magento Community
Magento Community
 
roshanlal
Member
 
Avatar
Total Posts:  33
Joined:  2010-01-15
india
 

Which hosting service you are using?

 
Magento Community Magento Community
Magento Community
Magento Community
 
mathman
Jr. Member
 
Total Posts:  5
Joined:  2011-10-30
 

Arvixe why ? !

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 

Disclaimer: this is just a guess based on the behavior you describe, but it sounds like the attackers found some way to upload these ZIP files to your server and were using it like a free dropbox to host them. They then shared links with various file-sharing sites to the content they uploaded.

Once your site is compromised, it can be very difficult or impossible to prove that you have eradicated the attacker’s presence on the site. Unless you know exactly how they got in and what file(s) they changed, it is quite possible that the attacker still has access to your server to repeat their actions again later. Changing the admin password for the site was a good step, but it will only keep the bad guys out if they used your admin credentials to get into the site in the first place.

Knowing your hosting provider is important because they may have logs of incoming activity, firewalls, or IDS that could have detected the attackers. However, if you don’t know when they first got in, those logs may have been destroyed or rotated ages ago. The hosting provider might also be responsible for securing the server that your store is running on, in which case you would need to follow up with them to make sure the attackers are out or to rebuild your server from scratch to eliminate any back doors or other programs installed on the system.

Good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Simple Servers
Member
 
Avatar
Total Posts:  45
Joined:  2010-10-20
Birmingham UK
 

Hi

A good site to ask to run a check on your site is http://sucuri.net these will find any traces of suspicious files, quarantine and harden.

 
Magento Community Magento Community
Magento Community
Magento Community
 
magneto800
Member
 
Avatar
Total Posts:  60
Joined:  2013-03-15
 

This could be a FTP exploit. you need to update username/ password.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top