Our site ap-tuning.be has been attacked by kriptc00yn Ransomware.
Which forced me to put back a backup from 24 hrs ago.
The site had been fully patched 2 months ago.
All files were overwritten by this hack, it was very bad.. on the frontpage the hacker was asking for 200 dollar paid in bitcoins.
All i could find on google about this hacker was a twitter page linking to a facebook page that was removed.
Encryption algorithm BlowFish 448 bit (stronger then AES). - 448 bit key is generated on...fb.me/5My226yIw
Could you guys help me on how these hackers got in? So i can take the proper security measures,
Solved! Go to Solution.
So sorry to hear that. Without access logs to your server before the encryption, there's no real way of knowing how they got into a fully patched site.
If you haven't already, I highly suggest you review all your code to make sure the ransomware code is not in the backup as well. You should also be sure to change all your passwords (FTP, ssh, admin), follow best practices https://magento.com/security/best-practices and https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing and make sure all other software (if anything) is updated.
Thanks for the reply sherrie! Appreciated!
I just recently changed the ftp all passwords, in quite a hard to crack password.
Ssh is ip based.
Changed the admin url as well.
Installed a firewall that prevents password guessing, you can only input a wrong password 3 times.
I found the hack and removed it.
It was trough an uploader from 'Lastc0de@outlook.com'.
there are at least few ways to hack any magento server/shop and it happens automatically:
- outdated wordpress and plugins
- some php files in root folder with obvious names like: zip.php, mysql.php, etc
- you have virus on your pc
- developers working on pirated windows pc also without any antivirus
- your shop was silently hacked few months ago
- uncontrolled access to your servers root account - you share the same logins with dozens of other services
- no IDPS or Firewall
IDPS isa very good solution to keep an eye on your system
Yea, the security was ok.. the hack was already there and dormant.
"- your shop was silently hacked few months ago"
Yes correct... this is what i found out, thanks for your reply!
I have a similarly hacked store and I too went to a backup. I have one lingering problem...I cannot load pictures to my store from either of my PCs from any IP. Same IPs and I can load from a borrowed laptop. I get "http upload error" after the picture uploads 100%....any ideas?
One of the more frustrating things about managing security on the Magento platform is that patches provided by Magento are a FANTASTIC way of ensuring that you won't get hacked AGAIN after installing the patch, but they can't retroactively clean up a system that may have already been compromised.
Glad to hear that you got a handle on the issue. If you haven't already done so, I'd recommend signing up for the security mailing list at https://magento.com/security that way you'll at least be notified as soon as there is a new patch and you can be proactive about installing them. This won't 100% guarantee that you'll never be compromised but applying patches within minutes or hours of them being released goes a long way to helping you sleep at night
Contact me at work via AOE - the open web company online!