I believe this is a problem with Magento, not with the hosting server. I too have experienced the same exact thing.... TWICE!
I installed magento the first time and shortly after… wham! My index page was giving me the same error. So I opened up the file and found new code that shouldn’t be there. Removing the code did not fully fix the problem. I had to upload a fresh copy of the index file because some of the last lines of the default code had been deleted. Admin area would not let me log in. Resetting password would not work. The tutorials here did not work. I tried re-uploading EVERYTHING which took forever. Still… it wouldn’t work. After talking to some people, everyone convinced me my server must have been compromised. So, we moved to another server, I changed all passwords (complicated passwords) to everything, including the database. I completed removed the entire site and reinstalled (since it was a new installation anyway). I figured better safe to make sure I didn’t miss anything.
So, a few weeks go by with the clean install and new passwords and guess what… same thing happened again! I just noticed it. So I uploaded a fresh copy of index again, but my admin area is acting wierd. I was able to log in this time, but none of the navigation links in admin are working.
Something is wrong here and it’s not the server. PLEASE… someone help us out here. I have a feeling more people will be complaining about this if it’s some sort of exploit or flaw in the Magento code.
Glad I’m not the only person that has run into this. I’m removing magento for now. This is a serious security issue! and in no way I’m I going to compromise other merchants on our servers. Not to mention magento is a true resource hog. Get a site with 10-15 people on it and it’s done.
We went through 3 months of fighting a hack on our magento install.
Everytime we changed our password within a couple of days we were hacked again.
Added a lot of security code to our .htaccess file. Didn’t help.
We finally had to have our ISP closed down our account and open a new one and reinstall everything.
We have not reinstalled magento.
We got hacked the first time within 2 days of installing magento. Never had been hacked in 5 years.
I can’t speak for Magento as I have yet to install, except for a temporary demo install a few months back. Anyway, I had this same problem with Joomla! for the last month. The iframe malicious code injection was a downright nightmare - and it spread to all of my sites.
There were issues on my part and my hosts.
You can keep fixing that index file but I can promise you it will come back if you don’t take any precautions.
First - you should consider that you put it there from your own pc. So I started with malwarebytes.com and the hijackthis and got rid of few trojans - who knew.
Then you need to pass protect your admin folder through the cpanel option or whatever - so basically you have to login twice to use the admin interface. That helps alot. But again, if the virus is already in there, changing the pwds won’t help until you can get it out.
So use your ftp to see the dates of last access files - look for your folders that have an index.html ( which the viruses reside like the one mentioned above and you can double check from your original files and remove those looong number sequences, in Joomla anyway, not familiar with Mage to say for sure ) and then also the folders with the added .htaccess and random number .php file like this: BTW, I had 2,692 of these files to remove plus each one with an .htaccess to delete as well. Ouch.
.htaccess
556386.php
A robot hits on a non eixistent file, the little buggers, and “looks” in the htaccess file which shows an error redirect to the .php file which refers back to ...... WHERE?? exactly.
So, you have to have your host run a clamscan or something on everything. And they won’t even catch the .php files most likely. Don’t even bother changing them until you find to script that it goes with. Mine was found running under Usage.php which looked like it belonged but clearly did not so that was immediately deleted.
Oh and make sure your host is running the latest on Apache and Php. And hope your existing installs are compatible.
And another way to check is unually high bandwidth for a site you know isn’t getting that much traffic. There are also randomly named folders with funny names like ‘water’ or ‘catch’ added that contain, get this - images like you get when you get spammed with drug and pill spams. Well they’re using your bandwidth to host those images! And you’re getting blacklisted.
Now I know this is alot and I’m not very organized in my thoughts here but that’s about how it felt going through this. And I’m pretty sure there were multiple types of injections in the sites for different purposes. If it was only one type then wow, it’s a pretty complex virus/trojan whatever.
So..... while I’m now convinced anything written in php is pretty much up for grabs by crackers, let’s not lay the blame totally with Magento as Joomla has the same problems and probably many more - still can’t figure out why people are flocking to PHP? And yes, I guess I’m a glutton for punishment because I’m going back for more and will continue to use both Magento and Joomla again until a viable yet affordable language comes along
Good luck and make a checklist for your host and yourself to get through the process. Keeps down on the runaround.
I bet the people with these issues are using Magento Connect with all the open file permissions it requires.
It would be interesting if Varien could make a comparison of hosting environments and Magento configuration to confirm or dismiss what this was due to.
People should check that their PCs aren’t infected, disable register global on their server, check their files permissions, etc. And of course change their hosting solution -at least configure it properly, shared hosting isn’t an option- if they claim that it can’t handle 10 users over magento.
Unless you have real visitors from China, I guess you could also blanket block chinese IPs or anything .cn by hostname. There are plenty of websites that list all current IP address blocks of an entire nation and I’ve used those for one non-Magento site to stop blog spam effectively (Blocked China and Ukraine).
Anyway, it seems to me this indeed isn’t a Magento issue but as it appears, compromised passwords. Changing your FTP credentials and deleting your FTP programs should be a good step in the right direction.
I too am facing the same problem. My index.php was hacked last week, i replaced it with fresh one and applied password to my site. But today again it was hacked with following codes in line 51 of index.php.
As was posted in this thread:
http://www.magentocommerce.com/boards/viewthread/41070/#t133175
It isn’t an issue with magento but rather you (or someone with ftp access) had their passwords stolen via malware/virus/trojan. Reset your FTP passwords (and run a virus scan on your PCs that have accessed Magento).
It seems rather to be related to FTP passwords being stolen by malware installed on your computer. Please check http://www.abelcheng.com/my-sites-are-hacked-–-heres-how-i-fixed-it/
A few free scanners:
http://www.eset.com/download/free_trial_download.php
http://housecall.trendmicro.com/
If you are having trouble removing the scripts from your pages and/or getting your site back into Google’s good graces, you might want to check out http://www.iframehack.com . Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the “attack site” label removed.
I have retrieve back the access of my site. have changed the FTP passwords and all.
Isn’t there some full proof solution for it?
I read somewhere about using htaccess file. Can someone please tell me how it is done?
Please this is very important.
