cancel
Showing results for 
Search instead for 
Did you mean: 

Kriptc00yn Ransomware hacked my fully patched store

SOLVED

Kriptc00yn Ransomware hacked my fully patched store

Our site ap-tuning.be has been attacked by kriptc00yn Ransomware.
Which forced me to put back a backup from 24 hrs ago.

The site had been fully patched 2 months ago.

 

All files were overwritten by this hack, it was very bad.. on the frontpage the hacker was asking for 200 dollar paid in bitcoins.

All i could find on google about this hacker was a twitter page linking to a facebook page that was removed.

Encryption algorithm BlowFish 448 bit (stronger then AES). - 448 bit key is generated on...fb.me/5My226yIw

Could you guys help me on how these hackers got in? So i can take the proper security measures,

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Kriptc00yn Ransomware hacked my fully patched store

Hi @kaisers0ze,

 

So sorry to hear that. Without access logs to your server before the encryption, there's no real way of knowing how they got into a fully patched site. 

 

If you haven't already, I highly suggest you review all your code to make sure the ransomware code is not in the backup as well. You should also be sure to change all your passwords (FTP, ssh, admin), follow best practices https://magento.com/security/best-practices and https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing and make sure all other software (if anything) is updated.

 

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

View solution in original post

7 REPLIES 7

Re: Kriptc00yn Ransomware hacked my fully patched store

Hi @kaisers0ze,

 

So sorry to hear that. Without access logs to your server before the encryption, there's no real way of knowing how they got into a fully patched site. 

 

If you haven't already, I highly suggest you review all your code to make sure the ransomware code is not in the backup as well. You should also be sure to change all your passwords (FTP, ssh, admin), follow best practices https://magento.com/security/best-practices and https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing and make sure all other software (if anything) is updated.

 

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

Re: Kriptc00yn Ransomware hacked my fully patched store

Thanks for the reply sherrie! Appreciated!

 

I just recently changed the ftp all passwords, in quite a hard to crack password.

Ssh is ip based.

Changed the admin url as well.

Installed a firewall that prevents password guessing, you can only input a wrong password 3 times.

 

I found the hack and removed it.

It was trough an uploader from 'Lastc0de@outlook.com'.

 

Re: Kriptc00yn Ransomware hacked my fully patched store

there are at least few ways to hack any magento server/shop and it happens automatically:

- outdated wordpress and plugins

- some php files in root folder with obvious names like: zip.php, mysql.php, etc

- you have virus on your pc

- developers working on pirated windows pc also without any antivirus

- your shop was silently hacked few months ago

- uncontrolled access to your servers root account - you share the same logins with dozens of other services

- no IDPS or Firewall

 

IDPS isa very good solution to keep an eye on your system

http://wazuh.com/

------------
MagenX - Magento and Server optimization

Re: Kriptc00yn Ransomware hacked my fully patched store

Glad to hear you were able to get the hack removed @kaisers0ze

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

Re: Kriptc00yn Ransomware hacked my fully patched store

Yea, the security was ok.. the hack was already there and dormant.

"- your shop was silently hacked few months ago"
Yes correct... this is what i found out, thanks for your reply!

Re: Kriptc00yn Ransomware hacked my fully patched store

I have a similarly hacked store and I too went to a backup. I have one lingering problem...I cannot load pictures to my store from either of my PCs from any IP. Same IPs and I can load from a borrowed laptop. I get "http upload error" after the picture uploads 100%....any ideas?

Re: Kriptc00yn Ransomware hacked my fully patched store

One of the more frustrating things about managing security on the Magento platform is that patches provided by Magento are a FANTASTIC way of ensuring that you won't get hacked AGAIN after installing the patch, but they can't retroactively clean up a system that may have already been compromised.

 

Glad to hear that you got a handle on the issue.  If you haven't already done so, I'd recommend signing up for the security mailing list at https://magento.com/security that way you'll at least be notified as soon as there is a new patch and you can be proactive about installing them.  This won't 100% guarantee that you'll never be compromised but applying patches within minutes or hours of them being released goes a long way to helping you sleep at night Smiley Happy

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!