cancel
Showing results for 
Search instead for 
Did you mean: 

Security / Technical Issue with Magento 1.9.1.0 - Random Install Screen

Security / Technical Issue with Magento 1.9.1.0 - Random Install Screen

Hi fellow Magento users,

 

My team and I recently experienced a huge list of issues with our eCommerce store. Our eCommerce site, which sits on a Managed Dedicated Server, randomly displays the Magento Installation Screen upon accessing certain areas of the website or backend, or just hanging for several minutes. At first, we assumed that this would be a case of damaged core files, but after careful inspection, we identified a small list of files that were present in our FTP directories which we were not aware of, namely:

 

public_html/dont-touch-me.php

public_html/downloader/dotcom/cilik.php

public_html/downloader/dotcom/jih.php

 

These three files somehow cause the Magento system to bomb out, and cause the site to either end up in an install state, or theme-less, or in worse cases, 503 errors.

 

We opened up the dont-touch-me.php file that appeared on our host, and this is what it was made up of:

 

<?php
/**
 * Magento
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@magentocommerce.com so we can send you a copy immediately.
 *
 * DISCLAIMER
 *
 * Do not edit or add to this file if you wish to upgrade Magento to newer
 * versions in the future. If you wish to customize Magento for your
 * needs please refer to http://www.magentocommerce.com for more information.
 *
 * @category   Mage
 * @package    Mage
 * @copyright  Copyright (c) 2008 Irubin Consulting Inc. DBA Varien (http://www.varien.com)
 * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
 */


/**
 * There are two modes to run this script:
 *
 * 1. Dump available locale options (currencies, locales, timezones) and exit
 * php -f install.php -- --get_options
 *
 * The output can be eval'd in a regular PHP array of the following format:
 * array (
 *   'locale' =>
 *   array (
 *     0 =>
 *     array (
 *       'value' => 'zh_TW',
 *       'label' => 'Chinese (Taiwan)',
 *     ),
 *   ),
 *   'currency' =>
 *   array (
 *     0 =>
 *     array (
 *       'value' => 'zh_TW',
 *       'label' => 'Chinese (Taiwan)',
 *     ),
 *   ),
 *   'timezone' =>
 *   array (
 *     0 =>
 *     array (
 *       'value' => 'zh_TW',
 *       'label' => 'Chinese (Taiwan)',
 *     ),
 *   ),
 * );
 *
 * or parsed in any other way.
 *
 * 2. Perform the installation
 *
 *  php -f install.php -- --license_agreement_accepted yes \
 *  --locale en_US --timezone "America/Los_Angeles" --default_currency USD \
 *  --db_host localhost --db_name magento_database --db_user magento_user --db_pass 123123 \
 *  --db_prefix magento_ \
 *  --url "http://magento.example.com/" --use_rewrites yes \
 *  --use_secure yes --secure_base_url "https://magento.example.com/" --use_secure_admin yes \
 *  --admin_lastname Owner --admin_firstname Store --admin_email "admin@example.com" \
 *  --admin_username admin --admin_password 123123 \
 *  --encryption_key "Encryption Key"
 *
 * Possible options are:
 * --license_agreement_accepted // required, it will accept 'yes' value only
 * Locale settings:
 * --locale                     // required, Locale
 * --timezone                   // required, Time Zone
 * --default_currency           // required, Default Currency
 * Database connection options:
 * --db_host                    // required, You can specify server port, ex.: localhost:3307
 *                              // If you are not using default UNIX socket, you can specify it
 *                              // here instead of host, ex.: /var/run/mysqld/mysqld.sock
 * --db_model                   // Database type (mysql4 by default)
 * --db_name                    // required, Database Name
 * --db_user                    // required, Database User Name
 * --db_pass                    // required, Database User Password
 * --db_prefix                  // optional, Database Tables Prefix
 *                              // No table prefix will be used if not specified
 * Session options:
 * --session_save <files|db>    // optional, where to store session data - in db or files. files by default
 * Web access options:
 * --admin_frontname <path>     // optional, admin panel path, "admin" by default
 * --url                        // required, URL the store is supposed to be available at
 * --skip_url_validation        // optional, skip validating base url during installation or not. No by default
 * --use_rewrites               // optional, Use Web Server (Apache) Rewrites,
 *                              // You could enable this option to use web server rewrites functionality for improved SEO
 *                              // Please make sure that mod_rewrite is enabled in Apache configuration
 * --use_secure                 // optional, Use Secure URLs (SSL)
 *                              // Enable this option only if you have SSL available.
 * --secure_base_url            // optional, Secure Base URL
 *                              // Provide a complete base URL for SSL connection.
 *                              // For example: https://www.mydomain.com/magento/
 * --use_secure_admin           // optional, Run admin interface with SSL
 * Backend interface options:
 * --enable_charts              // optional, Enables Charts on the backend's dashboard
 * Admin user personal information:
 * --admin_lastname             // required, admin user last name
 * --admin_firstname            // required, admin user first name
 * --admin_email                // required, admin user email
 * Admin user login information:
 * --admin_username             // required, admin user login
 * --admin_password             // required, admin user password
 * Encryption key:
 * --encryption_key             // optional, will be automatically generated and displayed on success, if not specified
 *
 */

if (version_compare(phpversion(), '5.2.0', '<')===true) {
    die('ERROR: Whoops, it looks like you have an invalid PHP version. Magento supports PHP 5.2.0 or newer.');
}
set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path());
require 'app/Mage.php';

try {
    $app = Mage::app('default');

    $installer = Mage::getSingleton('install/installer_console');
    /* @var $installer Mage_Install_Model_Installer_Console */

    if ($installer->init($app)          // initialize installer
        && $installer->checkConsole()   // check if the script is run in shell, otherwise redirect to web-installer
        && $installer->setArgs()        // set and validate script arguments
        && $installer->install())       // do install
    {
        echo 'SUCCESS: ' . $installer->getEncryptionKey() . "\n";
        exit;
    }

} catch (Exception $e) {
    Mage::printException($e);
}

// print all errors if there were any
if ($installer instanceof Mage_Install_Model_Installer_Console) {
    if ($installer->getErrors()) {
        echo "\nFAILED\n";
        foreach ($installer->getErrors() as $error) {
            echo $error . "\n";
        }
    }
}
exit(1); // don't delete this as this should notify about failed installation

After removing the file from our public_html directory, the problem stopped occurring. But due to the low level security of our hosting provider, we expect to see this again in the near future.

 

I would advise all other Magento 1.9.1.0 community users to keep an eye out for these files, especially the script indicated above.

 

We've also moved another one of our Magento sites to a Cloud Server, where we run the following spec:

CentOS 7 x64

CPU 10 Sockets (1 Core Each)

50GB HDD Space (10GB for root, with 40GB partitioned and mounted for the /home drive)

16GB RAM

 

We make use of the Vesta Control Panel (http://vestacp.com/) as well as Maldetect and RKHunter for CentOS to ensure that we identify issues before they occur.

 

We also set up cron jobs within Vesta to backup our site to a remote FTP folder on a bi-daily basis so in the event that core files are damaged, we can use rsync and replace the old error files on the fly.

 

If other members of the community have any advice on improving or hardening the security or improving the speed of our platform, it would be greatly appreciated.

 

Thanks all and I hope that the above helps out those experiencing similar issues.

1 REPLY 1

Re: Security / Technical Issue with Magento 1.9.1.0 - Random Install Screen

Hi @sudeav

 

Have you applied all the security patches on your site?

 

Please visit following for the best security practices,SECURITY BEST PRACTICES , Protecting your site from malware  and Magento security center

 

 

Also visit following posts on the community which may help you 

 

https://community.magento.com/t5/Technical-Issues/HELP-site-hacked/m-p/19304#M1501

 

https://community.magento.com/t5/Technical-Issues/Shop-got-Hacked/m-p/26057#M2378

 

 

---
Problem Solved Click Accept as Solution!:Magento Community India Forum