Solved: Re: Site keeps getting hacked

tagteamc · ‎08-31-2016

My site keeps getting hacked and they are modifying these files

app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Payment/Model/Method/Cc.php

I have the hacked version of the files if anyone would like to see them. The problem is I am not sure how they are getting in. here is what I have done to protect.

1. updated all versions of my third party modules, which are only from trusted providers - Amasty and IWD

2, I have changed all passwords and eliminated all ftp accounts and all user accounts in magento and recreated them with secure passwords.

3. I have a secure copy of the magento install in different location and I run a diff on all the files to see if any of the core files are changed

I found some files that looked suspect like adm.php and I found a bunch of symbolic links. I have removed them all

magento is supposed to be rock solid and secure so how is this happening? Any help is appreciated.

tagteamc · ‎09-08-2016

I have a script that runs every hour to compare the core magento files in a secure location with the files in my web dir. I also found a file called adm.php that was clearly not a magento file and removed it.

So far everything seems good. I have also updated a few security settings based on comments in the thread. I still dont know how they got in for sure but it seems to be based on that adm.php file that they dropped in my web dir.

View solution in original post

Mukesh Tiwari · ‎08-31-2016

Hi @tagteamc

Which version of Magento are you using? Is it fully patched?

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

tagteamc · ‎08-31-2016

i am using the latest version fully patched at 1.9.2.4.

I actually overwrote all the core files and ran a diff on them so all the core files are the same as magento core files

Mukesh Tiwari · ‎09-01-2016

Hi @tagteamc

Even if you are on latest version of Magento there are other factors which may compromise the security like insecure hosting environment., extensions with security loopholes etc.

Please read following https://community.magento.com/t5/Technical-Issues/Security-Technical-Issue-with-Magento-1-9-1-0-Rand... post for best practices and further actions.

Is your hosting provider PCI compliant and have experience in handling Magento site?

You should inform your hosting provider also about the frequent hacks. Even after a fresh install there may be traces of the potential malware(or malicious code) on your server.

NOTE : I am not a security expert so you should seek help from some security expert to overcome the frequent attacks.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

MagenX · ‎09-02-2016

magento is just a php script installed on your server,

there are lots of programs and settings installed/configured too in the system.

------------
MagenX - Magento and Server optimization

tagteamc · ‎09-08-2016

I have a script that runs every hour to compare the core magento files in a secure location with the files in my web dir. I also found a file called adm.php that was clearly not a magento file and removed it.

So far everything seems good. I have also updated a few security settings based on comments in the thread. I still dont know how they got in for sure but it seems to be based on that adm.php file that they dropped in my web dir.

passmarketing · ‎09-13-2016

Try grepping your access logs for any direct interaction with the files that are modified this should give you some idea of what they are trying to do. (trying to chase or block the IPs will just end in frustration as most attacks are via proxies or other infected devices)
grep your site for eval(base64_decode( as that is a general way of hiding things
Look at getting a decent AV as most now look for c99 scripts and other versions of such shell style scripts
check your permissions
Get a decent FIM (file integrity monitor) or write your own.

Just my advice from what I have had to deal with in the last 10 years of developing for several companies.

Regards
Sven