cancel
Showing results for 
Search instead for 
Did you mean: 

Site Hacked

SOLVED

Site Hacked

Hey everyone, I'm new here, I have been asked to set up a Magento site for a friend, I have got some hosting and a domain sorted but I am having an issue.

 

I have downloaded Magento CE from here, when I upload and extract then go to the URL I get a plain white page which says "Site hacked by Sizzling Soul...!"

I would usually understand if this was downloaded from a random site on the web but to get this message on a fresh install from the Magento downloads section.

 

Any ideas ?

 

Thanks,

Graham

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site Hacked

I recently answered a couple of similar or at least related questions on the Magento Stack Exchange and thought I would follow up with some of the additional insights from a few more recent remediation efforts.

A security incident like this one is a challenge that must be addressed with responses from both the technical and business perspectives and given that the business implications include potential regulatory and contractual requirements that specifically impact the technical actions you may be required to perform, I thought I would outline them together in this answer.

 

Before performing any of the earlier recommended technical activities, review the following and determine which, if any, are allowed given the regulations you are subject to in your location and the contracts you have entered into with your issuing banks, gateway providers and processing service partners.

 

  1. You should first take some time to review the Official Magento Security Best Practices Guide. It contains a wealth of information to help you deal with a compromised installation as well as how to prevent it from happening in the future.

    It's based on the work of the Magento Security Team as well as knowledge shared by several Magento Security Experts both on Magento Stack Exchange and here in the Magento Community Forums.

  2. If this site generates any real volume of transactions, you should probably not attempt to resolve the issue completely on your own. Contact a Magento Security Expert who is familiar with all of the following:

    1) The specific Magento version you are running

    2) The laws covering Data Breaches, Privacy Protections, and Customer Notification Requirements that govern Merchants operating in and/or located in your geographical region.

    3) Reviewing contracts and business partner agreements with your Merchant's Gateway Provider, Processing Services, and Credit Card Companies

Depending on your location, you may be subject to local, regional, and / or national laws that require you to either perform very specific actions in response to a security event or to engage the assistance of someone (or a company) that is specifically licensed as a forensic information security specialist.

In addition, the fine print of the credit card processing agreements signed with the store's Credit Card Merchant Gateway, Financial Institution, Issuing Bank, and the Credit Companies themselves may require other specific actions be performed and that law enforcement be engaged or the store may be held responsible for any charges incurred by the attacker(s).

Finally, again, depending on your location, your store may be required by law to notify the customers of the data breach in very specific ways and the Nation / States in which your customers reside may impose additional requirements on notifying affected customers. Failure to comply with these requirements might make the store subject liable for fines and penalties outside of any costs imposed by your processing company or gateway provider.

These laws & contractual requirements vary greatly across different geographical regions and also across different financial institution and businesses that offer clearing and gateway services to merchants so it is important to engage the services of someone who is both a Magento Security Expert and also familiar with the laws specific to your geographic location and who can assist you with both the technical effort in remediating your hacked site as well as the business activities required by any contracts that have been entered into by the Merchant.

Once you have identified a suitably experienced partner to assist you in your remediation effort, ask them to confirm the next technical steps to take, including actions such as imaging the compromised system, contacting law enforcement, disconnecting the system from the network and investigating the affected systems.

REMEMBER: You are no longer in possession of JUST a hacked system! Your compromised Magento installation is now also an ACTIVE crime scene, and in many jurisdictions, the crime is a severe one. In the US, it's almost universally a felony (severe crime) with specific prohibitions against tampering with evidence left behind by the perpetuators of the criminal act without proper supervision of licensed personnel and/or law enforcement professionals.

It would be unwise to bring the system back to a working state only to find out that you YOURSELF had just committed a crime punishable by fine and/or jail time. Standard Disclaimer: I am not a lawyer and this does not constitute legal advice.

 

See Also:

 

 

Note: Most of the links above point to resources specifically written for US Merchants, but they all also contain links for merchants in other regions as well as contact information to engage the specific security support teams to assist you in your own location.

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!



View solution in original post

12 REPLIES 12

Re: Site Hacked

Hello @gmanbelfast 

 

Did you download the Magento from here?

https://www.magentocommerce.com/products/downloads/magento/

 

 

Was my answer helpful? You can accept it as a solution.
175+ Professional Extensions for M1 & M2
Need a developer?Just visit Contact Us Now

Re: Site Hacked

Yes, ver 1.9.1.0 - Added Nov 24, 2014, the .zip version, I havent tried the other 2 yet but with the .zip version I get the Hacked message.

 

I'm baffled as to what is happening.

 

Maybe if someone can download the zip version and upload/extract on their server and go to the installation to see what they see ?

Re: Site Hacked

You must be getting different html or php page, 

You are not landing on the installation page, the url of the installation page should be something like this,

http://domain.com/index.php/install/

So if you are not getting this url in browser there must be another html page is calling from the root. Please check all the files in the root. 

You can do one more thing, create one folder in the root with any name and extract magento files there, then try to access the site with www.domain.com/foldername/

It should take you to the installation page.

 

Let me know how it is going.

Was my answer helpful? You can accept it as a solution.
175+ Professional Extensions for M1 & M2
Need a developer?Just visit Contact Us Now

Re: Site Hacked

Its a new clean hosting space that you installed it on?  or was there something on the web space before hand that had been hacked before ( or maybe a failed hack attempt).  I have seen hack attempts which are not found till months or years after the attach, were they changed the http error docs or uploaded a index.html file but they are not used by the current cms so didn't effect the live website. 

 

Hope that makes sense....

 

 

Re: Site Hacked

I will check this tonight.

 

I completely cleared my public_html directory and uploaded, this is my usual practive when installing Moodle and Joomla etc.

 

I will post the results tonight of my attempt.

 

Thanks,

G

Re: Site Hacked

@PaddyDisplays yes, this is a freshly set up account, I double checked that with the hosting providor.. What I will do tonight is make a screen recording of my process and post a link to it to show you what is happening.

 

I am usually pretty good with things like this, I have installed hundreds of CMS systems before, mainly Joomla, Wordpress and Moodle but this is the first I have come across this issue, it really has me baffled.

Re: Site Hacked

I remember ( a long time ago o) there was a http error folder (or something) out side the public_html folder and hacks had changed all the error pages (eg 404) to "this site has been hacked" etc could be something like that

Re: Site Hacked

@PaddyDisplays I will certainly look into that, I will also install WAMP on my local machine to see if the same issue appears.

Re: Site Hacked

ok @gmanbelfast 

 

Do let us know the result

Was my answer helpful? You can accept it as a solution.
175+ Professional Extensions for M1 & M2
Need a developer?Just visit Contact Us Now