Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Hackers in /downloader/ files? 
 
msport7
Member
 
Avatar
Total Posts:  41
Joined:  2008-04-05
Atlanta, GA, USA
 

This afternoon I was checking the Online Customers view in the admin, and there were about 20 visitors in various parts of the /downloader/ directory. All the URLs they were in were similar to:

http://mysite.com/downloader/pearlib/download/Mage_Core_Modules-1.3.1.1/Mage/Log/Model/Mysql4/Visitor/4c4e9c55d.html

I quickly renamed the /downloader/ directory to something else with a long file name, temporarily, and it looks like it stopped them for now.

What are the hackers after in the downloader directory? Are there files there that could be attacked? I know this is where the Magento Connect Manager runs, but I don’t know if there are files there that would allow access to other site files, the database, etc.

Any advice on this would be greatly appreciated. And if there is a way to block access to these files, I’d like to know!

Thank you!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Dillweed
Jr. Member
 
Total Posts:  21
Joined:  2009-05-28
 

Have you check the server logs to determine the source of intrusion and or ip address of the hackers.  More than likely it will be a proxy server, if it is a hacker.  It probably not so much, they are interested what is in the directory, but more likely a point of entrance.  From there, they hack into other areas, like credit card information ( Hopefully, you’re not storing CC info online.). Or find their way to the server and have some real fun making every shared account life miserable.  You may want to bring this to varien attention.  This would really suck, if they just completed an install for a high dollar client and right off the bat they get hacked.  They upset quite a few users lately, so it wouldn’t suprise me.  shock

Let us know what you find in the logs

 
Magento Community Magento Community
Magento Community
Magento Community
 
msport7
Member
 
Avatar
Total Posts:  41
Joined:  2008-04-05
Atlanta, GA, USA
 

Dillweed,

Thanks for your reply. As you noted, I checked out the server log and found this type of entry on every access to the /downloader/ directory:

/downloader/pearlib/download/Mage_Core_Modules-1.3.1.1/Mage/Weee/Block/77624ea09.html
Http Code: 403 Date: May 29 23:14:49 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; 0824)

So it looks like they were getting 403’s on every attempt. No referrer either - so they must have been behind a proxy. I traced the IPs that were used back to the Ukraine.

Just after I posted my message this afternoon, I went to my cPanel and banned a range of IP addresses they were using.

I will bring it to Varien’s attention and see what they say.

Thanks again!

Dillweed - 29 May 2009 12:31 PM

Have you check the server logs to determine the source of intrusion and or ip address of the hackers.  . . . . . This would really suck, if they just completed an install for a high dollar client and right off the bat they get hacked.  They upset quite a few users lately, so it wouldn’t suprise me.  :ahhh:

Let us know what you find in the logs

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

MSPORT7,

You may want to check your .php files and .html files.  See if they all have the same date/time stamp.  If they do,you have been hacked.  Check the php files for strange code following the <php? and the html files for strange code after the <body> tag or at the very end.
Anything following <--

We just went through removing and reinstalling our site after it got hacked.  It occurred right after we installed magento and wordpress.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top