cancel
Showing results for 
Search instead for 
Did you mean: 

Site keeps getting hacked

SOLVED

Site keeps getting hacked

My site keeps getting hacked and they are modifying these files

app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Payment/Model/Method/Cc.php

 

I have the hacked version of the files if anyone would like to see them.  The problem is I am not sure how they are getting in.  here is what I have done to protect.

1. updated all versions of my third party modules, which are only from trusted providers - Amasty and IWD

2, I have changed all passwords and eliminated all ftp accounts and all user accounts in magento and recreated them with secure passwords.

3. I have a secure copy of the magento install in different location and I run a diff on all the files to see if any of the core files are changed

 

I found some files that looked suspect like adm.php and I found a bunch of symbolic links.   I have removed them all

 

magento is supposed to be rock solid and secure so how is this happening?  Any help is appreciated.

6 REPLIES

Re: Site keeps getting hacked

Hi @tagteamc

 

Which version of Magento are you using? Is it fully patched?

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Site keeps getting hacked

i am using the latest version fully patched at 1.9.2.4.

 

I actually overwrote all the core files and ran a diff on them so all the core files are the same as magento core files

Re: Site keeps getting hacked

Hi @tagteamc

 

Even if you are on latest version of Magento there are other factors which may compromise the security like insecure hosting environment., extensions with security loopholes etc.  

 

Please read following https://community.magento.com/t5/Technical-Issues/Security-Technical-Issue-with-Magento-1-9-1-0-Rand...  post for best practices and further actions.

 

Is your hosting provider  PCI compliant and have experience  in handling Magento site? 

You should inform your hosting provider also about the frequent hacks. Even after a fresh install there may be traces of the potential malware(or malicious code) on your server.

 

NOTE : I am not a security expert so you should seek help from some security expert to overcome the frequent attacks.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Site keeps getting hacked

magento is just a php script installed on your server,

there are lots of programs and settings installed/configured too in the system.

 

------------
MagenX - Magento and Server optimization

Re: Site keeps getting hacked

I have a script that runs every hour to compare the core magento files in a secure location with the files in my web dir.   I also found a file called adm.php that was clearly not a magento file and removed it.

 

So far everything seems good.  I have also updated a few security settings based on comments in the thread.   I still dont know how they got in for sure but it seems to be based on that adm.php file that they dropped in my web dir.

Re: Site keeps getting hacked

  1. Try grepping your access logs for any direct interaction with the files that are modified this should give you some idea of what they are trying to do. (trying to chase or block the IPs will just end in frustration as most attacks are via proxies or other infected devices)
  2. grep your site for ev​al(base​64_de​code( as that is a general way of hiding things
  3. Look at getting a decent AV as most now look for c99 scripts and other versions of such shell style scripts
  4. check your permissions
  5. Get a decent FIM (file integrity monitor) or write your own.

Just my advice from what I have had to deal with in the last 10 years of developing for several companies.  

Regards
Sven