Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Site Hacked - Homepage Top Nav Was Changed
 
switchjohnny
Member
 
Total Posts:  41
Joined:  2009-07-02
 

Curious if anyone else has had this issue. I checked my site today, and only the Top Navigation on my Home page was changed, the internal pages where fine, which is interesting because they all use the top.phtml file.

I checked my logs for strange ip’s and compared my local install vs my live install to see if any files where changed (using beyond compare)

I didn’t see anything particularly interesting in my logs, and I didn’t see any files changed on my live site, so the only place left to check was my database.

I changed my top.phtml file previously to add 2 links like this

<?php //if(count($this->getStoreCategories())>1): ?>
    
<ul id="nav">
    
<?php foreach ($this->getStoreCategories() as $_category): ?>
        <?php 
echo $this->drawItem($_category?>
    <?php 
endforeach ?>
    
<li><a href="<?php echo $rooturl;?>/blog">BLOG</a></li>
    <
li><a href="<?php echo $rooturl;?>/forum" class="last">FORUM</a></li>
    </
ul>
<?php //endif; ?>

The /blog and /forum links where the only links changed by this “hack” so maybe the way I implemented this has a security vulnerability.

The links where changed to ”wantsfly dot com

I searched my database for the domain name and it was only found in the log_url_info table. I also noticed plenty of visits from hxxp://proxyjudge1.proxyfire.nethxxp://proxyjudge1.proxyfire.net/fastenv

Here is what the wantsfly value looked like:
hxxp://www.wantsfly.comhxxp://www.wantsfly.com/prx.php?hash=F2DDF8FCB26BE2A84AD02FEF0050ABA79810097EFEDD

Does this mean anything to anyone?

So from what little I know it looks like someone was using proxys to find an exploit.

All I had to do to fix my site was clear the cache

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Hrmmm.....I havent seen anyone actually run into an actual Magento exploit recently.  They seem to lead to compromised login information due to malware on an infected machine.

You may want to check this thread:
http://www.magentocommerce.com/boards/viewthread/44203/P0/

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1093
Joined:  2008-07-16
London, United Kingdom
 

how are your file & folder permissions setup?

i know its quite common to have seen people to have setup their site initially with 777. which is not a good idea

brendan

 
Magento Community Magento Community
Magento Community
Magento Community
 
switchjohnny
Member
 
Total Posts:  41
Joined:  2009-07-02
 
fr0x - 29 July 2009 05:52 AM

Hrmmm.....I havent seen anyone actually run into an actual Magento exploit recently.  They seem to lead to compromised login information due to malware on an infected machine.

You may want to check this thread:
http://www.magentocommerce.com/boards/viewthread/44203/P0/

Possibly it could have been a compromised login. The first thing I did was change the password. As far as malware goes, I’m not ruling it out 100%, but I do nightly scan, and everything is clean.

 
Magento Community Magento Community
Magento Community
Magento Community
 
switchjohnny
Member
 
Total Posts:  41
Joined:  2009-07-02
 
brendan. - 29 July 2009 06:17 AM

how are your file & folder permissions setup?

i know its quite common to have seen people to have setup their site initially with 777. which is not a good idea

brendan

My permissions are set to however the original install was set. Is there documentation that goes through each directory and gives permission settings?

 
Magento Community Magento Community
Magento Community
Magento Community
 
brendanb
Mentor
 
Total Posts:  1093
Joined:  2008-07-16
London, United Kingdom
 

ok,

check this out. you need to have ssh access to run these commands. I use putty from my pc

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod o+var var/.htaccess app/etc
chmod 550 pear
chmod 
-R o+w media

see this thread for details. http://www.magentocommerce.com/boards/viewthread/33166/

hth
brendan

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top