I currently have a website which has been hacked, if you run an securi sitecheck it shows up with the malware MW:JS:GEN2?web.js.malware.magento_shoplift.005, this was found on the urls/folders below, any idea how I can clean the website to remove the virus?
Solved! Go to Solution.
The magento website uses a theme, I feel uneasy applying the patches in case this messes up the website, or will it not?
The patch is more on backend code, not theme code. There is no question that you should apply the patch. If the theme was well written, it shouldn't affect it at all.
Better to have a messed up website than messed up customers. It's not worth clearing out any of this infection as the vulnerability holes are so big you can float an oil tanker through them and the site will be reinfected within minutes if scripted attacks are actively being run against this website.
Get it patched, remove all injected admin users, unwanted module installs and backdoors. Only after you have secured the site, can you even begin to clean out the virus redirect infection code.
Most of these attacks are set up to infect all your website visitor's computers AND harvest all credit card information for immediate transmission to criminal third parties. Anyone who's placed an order on this website has been compromised.
I agree with the technical recommendations offered by @chiefair's accepted answer, but I recently answered a couple of similar or at least related questions on the Magento Stack Exchange and thought I would follow up with some of the additional insights from a few more recent remediation efforts.
A security incident like this one is a challenge that must be addressed with responses from both the technical and business perspectives and given that the business implications include potential regulatory and contractual requirements that specifically impact the technical actions you may be required to perform, I thought I would outline them together in this answer.
Before performing any of the earlier recommended technical activities, review the following and determine which, if any, are allowed given the regulations you are subject to in your location and the contracts you have entered into with your issuing banks, gateway providers and processing service partners.
Depending on your location, you may be subject to local, regional, and / or national laws that require you to either perform very specific actions in response to a security event or to engage the assistance of someone (or a company) that is specifically licensed as a forensic information security specialist.
In addition, the fine print of the credit card processing agreements signed with the store's Credit Card Merchant Gateway, Financial Institution, Issuing Bank, and the Credit Companies themselves may require other specific actions be performed and that law enforcement be engaged or the store may be held responsible for any charges incurred by the attacker(s).
Finally, again, depending on your location, your store may be required by law to notify the customers of the data breach in very specific ways and the Nation / States in which your customers reside may impose additional requirements on notifying affected customers. Failure to comply with these requirements might make the store subject liable for fines and penalties outside of any costs imposed by your processing company or gateway provider.
These laws & contractual requirements vary greatly across different geographical regions and also across different financial institution and businesses that offer clearing and gateway services to merchants so it is important to engage the services of someone who is both a Magento Security Expert and also familiar with the laws specific to your geographic location and who can assist you with both the technical effort in remediating your hacked site as well as the business activities required by any contracts that have been entered into by the Merchant.
Once you have identified a suitably experienced partner to assist you in your remediation effort, ask them to confirm the next technical steps to take, including actions such as imaging the compromised system, contacting law enforcement, disconnecting the system from the network and investigating the affected systems.
REMEMBER: You are no longer in possession of JUST a hacked system! Your compromised Magento installation is now also an ACTIVE crime scene, and in many jurisdictions, the crime is a severe one. In the US, it's almost universally a felony (severe crime) with specific prohibitions against tampering with evidence left behind by the perpetuators of the criminal act without proper supervision of licensed personnel and/or law enforcement professionals.
It would be unwise to bring the system back to a working state only to find out that you YOURSELF had just committed a crime punishable by fine and/or jail time. Standard Disclaimer: I am not a lawyer and this does not constitute legal advice.
Note: Most of the links above point to resources specifically written for US Merchants, but they all also contain links for merchants in other regions as well as contact information to engage the specific security support teams to assist you in your own location.
Contact me at work via AOE - the open web company online!