Showing results for 
Search instead for 
Did you mean: 

Patched site hacked.

Patched site hacked.

I have found code base64 encoded before the closing body tag. I cannot find where its coming from. This looks real bad...


"<a style="height: 20px; width: 40px; position: absolute; opacity: 0.85; z-index: 8675309; display: none; cursor: pointer; border: none; background-color: transparent; background-image: url(data&colon;image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAAUCAYAAAD/Rn+7AAADU0lEQVR42s2WXUhTYRjHz0VEVPRFUGmtVEaFUZFhHxBhsotCU5JwBWEf1EWEEVHQx4UfFWYkFa2biPJiXbUta33OXFtuUXMzJ4bK3Nqay7m5NeZq6h/tPQ+xU20zugjOxR/+7/O8539+5znnwMtNTExwJtMb3L/fiLv3botCSmUjeCaejTOb39AiFothfHxcFIrHY8RksZjBsckJcOIRMfFsHD/SsbExUYpnI8DR0dGUGjSb0byhEJp5Uqg5CTSzc2CQleJbMEj9/ywBcGRkJEk9DQqouEVQT1sK444yWI9UonmTjGqauVLEIlHa9x8lAMbj8SSpp0rwKGMVvg8P46vbg0C7na8z8JsMcgHe7jlEa+edRhiLy8n/TUMfu6EvLElk+U0WtGwrTrdfAGQf5J8iiK4LVzDU28t8JtMSocf8E+l68myaNFXm/6rXslLK7ay5TOunuRvZWpJuvwAYjUaTpOIWoquuAZ219RTaxKYp9BbjycoN5FvL9qH9TBX5rvoGdJythvXYSTxdtRnWylO/ZdqrLsGwszzhWQ593z2KlAwCYCQSSZJ6ehZ0W7bD9VBLgN0NCqr3qR7R2rBrL3pu3Sb/7nDlz2uy6cG0OXk0GTbZXzNp8trsPAQdTj6frlWzN2DcXZGKQQAMh8NJ6rpyHe+PnkCr/CAFdZyvpfpjuvkifLF9wIt1Wwlo0OHie1RvWrKa93RjzfzliTzPKz3ltB0/Tevmwp14wGUgHAzSOoUEwFAolFaaBSuhnslPRkJexUJtZ6v5HtUeLswl33n1BgEY5fvhs9sJ3FAiT+QYyyvoAQJuD0KBAFRTJNAuz5/s3gJgMBhMJwrVFRThM5tY5zUF/A4X1f2fvQTRLCuBreoim0YmAbqNJryvPEXeeq46kaNdkQ/1HCncbJKPs9ZSv2VHGfWsZ2hfkhKAfr8/pdxWKx4wwD69PmVfNSOL+lr2w+gYqHpWDtXt1xQ8AMlWU0e1lqLd/APRHoP8AJqWrQG9gYxcPMsvSJUvAA4MDKTUJ7MZLaVy8v+qT21tcDx/OemePr0RTkNrur4A6PP5xCgBsL+/X4wiQDpuuVxOeL1eMYmYeDY6sOp0z+B0OuHxeEQhxkJMFosJiSO/UinOI/8Pc+l7KKArAT8AAAAASUVORK5CYII=);"></a>"


Re: Patched site hacked.

Hi @tblueweb


Can you share your site url? 


Are you using Magento version? or just patched an older version of Magento?


If you patched an older version of Magento do not forget to apply all the security patches released by Magento. Just applying the latest patch will not help you.


Go through the following step to fix your site.

1) New JavaScript Malware Issue check this url and follow the suggested steps.


2) Compare all your Magento core files with the default files of that version and check for  any suspicious code. Do same for your theme files and custom modules. Restore the files if found affected from previous backups.


3) Remove all unnecessary files from the Magento root folder.


4) Disable the downloader access from the production site.


5) Make the admin url IP restricted.


6) Always use custom admin path do not use default admin.


7) Go to System > Configuration > General > Design  HTML Head and check for suspicious code under miscellaneous scripts.


8) Change all the admin passwords with strong passwords. Also deactivate all the admin account which are not in use or were used by third parties in the past.


9) Change all FTP, cPanel passwords. Start using SFTP instead of FTP for future uses.


10) Keep your system password protected and keep antivirus updated.Your infected system may also help intruders to steal your information.


Finally follow Magento Security Best Practices

Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Patched site hacked.

The url is currently in maint mode. 


I checked the new JS malware and its not it. That appears clean. 

This site was a 1.7 site upgraded to 1.9 thence patched with all patches.


Finally forum allowed me back in. Password reset wont work with safari. Go figger.

Thanks very much for the list and prompt response. 

Re: Patched site hacked.

I might be chasing a red herring. The offending code only shows up in web inspector in safari dev tool and not firebug or chrome tools and not in source view of all 3!.


Its been a good exercise cleansing the root folder of junk anyway. And Il lock down the other recommendations. 

Re: Patched site hacked.

dont you see it's just an image? Robot Very Happy

MagenX - Magento and Server optimization