Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kriptc00yn Ransomware hacked my fully patched store

SOLVED
Go to solution
‎04-09-2016 09:58 AM
‎04-09-2016 09:58 AM

Kriptc00yn Ransomware hacked my fully patched store

Our site ap-tuning.be has been attacked by kriptc00yn Ransomware.
Which forced me to put back a backup from 24 hrs ago.

The site had been fully patched 2 months ago.

 

All files were overwritten by this hack, it was very bad.. on the frontpage the hacker was asking for 200 dollar paid in bitcoins.

All i could find on google about this hacker was a twitter page linking to a facebook page that was removed.

Encryption algorithm BlowFish 448 bit (stronger then AES). - 448 bit key is generated on...fb.me/5My226yIw

Could you guys help me on how these hackers got in? So i can take the proper security measures,

 

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
‎04-10-2016 03:08 PM
‎04-10-2016 03:08 PM

Re: Kriptc00yn Ransomware hacked my fully patched store

Hi @kaisers0ze,

 

So sorry to hear that. Without access logs to your server before the encryption, there's no real way of knowing how they got into a fully patched site. 

 

If you haven't already, I highly suggest you review all your code to make sure the ransomware code is not in the backup as well. You should also be sure to change all your passwords (FTP, ssh, admin), follow best practices https://magento.com/security/best-practices and https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing and make sure all other software (if anything) is updated.

 

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

View solution in original post

7 REPLIES 7
‎04-10-2016 03:08 PM
‎04-10-2016 03:08 PM

Re: Kriptc00yn Ransomware hacked my fully patched store

Hi @kaisers0ze,

 

So sorry to hear that. Without access logs to your server before the encryption, there's no real way of knowing how they got into a fully patched site. 

 

If you haven't already, I highly suggest you review all your code to make sure the ransomware code is not in the backup as well. You should also be sure to change all your passwords (FTP, ssh, admin), follow best practices https://magento.com/security/best-practices and https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing and make sure all other software (if anything) is updated.

 

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
‎04-11-2016 06:18 AM
‎04-11-2016 06:18 AM

Re: Kriptc00yn Ransomware hacked my fully patched store

Thanks for the reply sherrie! Appreciated!

 

I just recently changed the ftp all passwords, in quite a hard to crack password.

Ssh is ip based.

Changed the admin url as well.

Installed a firewall that prevents password guessing, you can only input a wrong password 3 times.

 

I found the hack and removed it.

It was trough an uploader from 'Lastc0de@outlook.com'.

 

0 Kudos
‎04-11-2016 07:17 AM
‎04-11-2016 07:17 AM

Re: Kriptc00yn Ransomware hacked my fully patched store

there are at least few ways to hack any magento server/shop and it happens automatically:

- outdated wordpress and plugins

- some php files in root folder with obvious names like: zip.php, mysql.php, etc

- you have virus on your pc

- developers working on pirated windows pc also without any antivirus

- your shop was silently hacked few months ago

- uncontrolled access to your servers root account - you share the same logins with dozens of other services

- no IDPS or Firewall

 

IDPS isa very good solution to keep an eye on your system

http://wazuh.com/

------------
MagenX - Magento and Server optimization
‎04-11-2016 04:58 PM
‎04-11-2016 04:58 PM

Re: Kriptc00yn Ransomware hacked my fully patched store

Glad to hear you were able to get the hack removed @kaisers0ze

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
‎04-12-2016 12:43 AM
‎04-12-2016 12:43 AM

Re: Kriptc00yn Ransomware hacked my fully patched store

Yea, the security was ok.. the hack was already there and dormant.

"- your shop was silently hacked few months ago"
Yes correct... this is what i found out, thanks for your reply!

0 Kudos
‎04-13-2016 08:46 AM
‎04-13-2016 08:46 AM

Re: Kriptc00yn Ransomware hacked my fully patched store

I have a similarly hacked store and I too went to a backup. I have one lingering problem...I cannot load pictures to my store from either of my PCs from any IP. Same IPs and I can load from a borrowed laptop. I get "http upload error" after the picture uploads 100%....any ideas?

0 Kudos
‎04-28-2016 10:20 AM
‎04-28-2016 10:20 AM

Re: Kriptc00yn Ransomware hacked my fully patched store

One of the more frustrating things about managing security on the Magento platform is that patches provided by Magento are a FANTASTIC way of ensuring that you won't get hacked AGAIN after installing the patch, but they can't retroactively clean up a system that may have already been compromised.

 

Glad to hear that you got a handle on the issue.  If you haven't already done so, I'd recommend signing up for the security mailing list at https://magento.com/security that way you'll at least be notified as soon as there is a new patch and you can be proactive about installing them.  This won't 100% guarantee that you'll never be compromised but applying patches within minutes or hours of them being released goes a long way to helping you sleep at night Smiley Happy

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!



0 Kudos