Hi Guys
I hope someone can help.
Running Magento 1.9.0.2, all of a sudden there is a strange customer account popping up. The details are mostly in Chinese. The email address ends in qq.com. All the contact details are gibberish. If I delete the account a new one opens up. The var/session folder contains a session for this account with an IP address.
Any ideas what this might be and how I can fix it?
Thank you in advance to anyone who can help.
Coogan
Solved! Go to Solution.
This sounds more like a bot creating accounts than being hacked.
There are a few approaches to blocking them, one possible method is to add the a RewriteCond to your .htaccess file to block known bots and/or the IP address you found.
There's also an extension from Fishpig, if you prefer: http://fishpig.co.uk/magento/extensions/block-robots-stop-spam/
If you use the .htaccess file method, be sure to back it up first (make a copy) and be very careful editing it. Make the changes in your staging site first, if you have one.
Hi Sherrie
Thank you very much for your help. By using RewriteRules I have managed to stop the bot.
I didn't download the Fishpig extension because I hate installing new extensions but thank you for that suggestion. I have bookmarked it in case things get out of hand with this problem in future.
Instead I found this list of known bots: http://www.javascriptkit.com/howto/htaccess13.shtml and have implemented all these into my .htaccess file. I know it won't exclude new/unknown ones but I figured it was better than nothing.
Thanks again for helping me solve my problem.
Kind regards,
Coogan
This sounds more like a bot creating accounts than being hacked.
There are a few approaches to blocking them, one possible method is to add the a RewriteCond to your .htaccess file to block known bots and/or the IP address you found.
There's also an extension from Fishpig, if you prefer: http://fishpig.co.uk/magento/extensions/block-robots-stop-spam/
If you use the .htaccess file method, be sure to back it up first (make a copy) and be very careful editing it. Make the changes in your staging site first, if you have one.
I am currently having this same issue, but can't seem to pinpoint which session is theirs, so right now seemingly have my hands tied to stopping them from creating more each time one is deleted
Hi WinteRx182
I pinpointed their session by running a search within the contents of all session files under www/var/session where www is your Magento home folder.
If you're on Unix you can do this by going to that directory and running:
grep -l 'text_string' *
Replace text_string with a piece of text from the spam contact being created. For example I did grep -l 'qq.com' *
This will give you a list of the session files created by the bot. Open the file in a text editor and located the IP address contained within it.
Hope this helps.
Coogan
Hi Sherrie
Thank you very much for your help. By using RewriteRules I have managed to stop the bot.
I didn't download the Fishpig extension because I hate installing new extensions but thank you for that suggestion. I have bookmarked it in case things get out of hand with this problem in future.
Instead I found this list of known bots: http://www.javascriptkit.com/howto/htaccess13.shtml and have implemented all these into my .htaccess file. I know it won't exclude new/unknown ones but I figured it was better than nothing.
Thanks again for helping me solve my problem.
Kind regards,
Coogan
Perfect, glad to hear you found a good solution.
I agree with the technical recommendations offered by @sherrie's accepted answer, but I recently answered a couple of similar or at least related questions on the Magento Stack Exchange and thought I would follow up with some of the additional insights from a few more recent remediation efforts.
A security incident like this one is a challenge that must be addressed with responses from both the technical and business perspectives and given that the business implications include potential regulatory and contractual requirements that specifically impact the technical actions you may be required to perform, I thought I would outline them together in this answer.
Before performing any of the earlier recommended technical activities, review the following and determine which, if any, are allowed given the regulations you are subject to in your location and the contracts you have entered into with your issuing banks, gateway providers and processing service partners.
Depending on your location, you may be subject to local, regional, and / or national laws that require you to either perform very specific actions in response to a security event or to engage the assistance of someone (or a company) that is specifically licensed as a forensic information security specialist.
In addition, the fine print of the credit card processing agreements signed with the store's Credit Card Merchant Gateway, Financial Institution, Issuing Bank, and the Credit Companies themselves may require other specific actions be performed and that law enforcement be engaged or the store may be held responsible for any charges incurred by the attacker(s).
Finally, again, depending on your location, your store may be required by law to notify the customers of the data breach in very specific ways and the Nation / States in which your customers reside may impose additional requirements on notifying affected customers. Failure to comply with these requirements might make the store subject liable for fines and penalties outside of any costs imposed by your processing company or gateway provider.
These laws & contractual requirements vary greatly across different geographical regions and also across different financial institution and businesses that offer clearing and gateway services to merchants so it is important to engage the services of someone who is both a Magento Security Expert and also familiar with the laws specific to your geographic location and who can assist you with both the technical effort in remediating your hacked site as well as the business activities required by any contracts that have been entered into by the Merchant.
Once you have identified a suitably experienced partner to assist you in your remediation effort, ask them to confirm the next technical steps to take, including actions such as imaging the compromised system, contacting law enforcement, disconnecting the system from the network and investigating the affected systems.
REMEMBER: You are no longer in possession of JUST a hacked system! Your compromised Magento installation is now also an ACTIVE crime scene, and in many jurisdictions, the crime is a severe one. In the US, it's almost universally a felony (severe crime) with specific prohibitions against tampering with evidence left behind by the perpetuators of the criminal act without proper supervision of licensed personnel and/or law enforcement professionals.
It would be unwise to bring the system back to a working state only to find out that you YOURSELF had just committed a crime punishable by fine and/or jail time. Standard Disclaimer: I am not a lawyer and this does not constitute legal advice.
See Also:
Note: Most of the links above point to resources specifically written for US Merchants, but they all also contain links for merchants in other regions as well as contact information to engage the specific security support teams to assist you in your own location.
Contact me at work via AOE - the open web company online!
Just to help if anyone has the same issue...
We had the same problem - overloaded with new users with @qq.com email addresses on our magento website.
We found out the ip address using the magento addon ONLINE CUSTOMER PRO, once the hacker was online on our registration page.
Hacker was from Cambodia.
Block the whole country or the ip address in htacess = solved!
"Solved" may be a bit of a stretch here...
Blocking the IP or country will most certainly address a "symptom" of being hacked - namely allowing unrestricted user creation and traffic from an originating source.
It will most certainly not remove any backdoors or compromised administrator accounts or prevent an attacker who has already gained access from spoofing the IP address source and pretending to use another IP address nor prevent them from using a free VPN or another compromised computer to route their traffic through so that it appears to come from a country that you can not afford to block access to or an IP address used by an ISP that you can't afford to block access from.
Important to note the difference between addressing the SYMPTOM of being hacked / compromised and the ORIGIN of the hack / compromise - one looks good ONLY on the surface and leaves you completely vulnerable to additional compromised activities at a later date and one actually solves the root cause of the problem.
NOTE: In my experience, once any attacker of sufficient skill has compromised one of your systems, the only way to be CERTAIN you have eliminated all ability for them to re-enter your environment is to nuke the system completely and rebuild from scratch as well as reset any and all credentials for firewalls / VPN's networking devices in between you and the system that has been compromised. This isn't always necessary, but it's the only way to be certain that you've removed any potential backdoors or alternate means of accessing your environment and the #1 reason I prefer virtualized environments to physical systems for hosting...
Contact me at work via AOE - the open web company online!
Yep, that's solved... Until they vpn tunnel through another allowed country or other such hacker caching scheme that allows them to hide the traffic origin. You might want to go get a little further education on properly patching a website and protecting it from maleficent activities.