Website has been attacked.

WSIdmg · ‎11-05-2015

Hi all,

One of our website has been attached today. Hacker removed almost all files from public html, and emptied database.

He left index.php with

Your database was stolen. To restore it you should to send 2 bitcoins to 1NviQCE3h58deH8GtRXkuvWhX5yrLKz2ty</br> After sending money send email to tanabet@usa.com and
i will reply to you download link.

Also form our hosting we do have got email about malicious attempt to access your account via http or ftp:

'ClamAV detected virus = [PHP.Shell-38]': /home/public_html/js/wso.php
'ClamAV detected virus = [PHP.Shell-38]': /home/public_html/js/wso.php

Does anyone experienced this kind of attack before on magento?

We recently updated magento with all patches apart last one SUPEE-6788.

What are the next steps we should do. Please advise. We do have backup but we need to make sure this will not going to happened again.

Regards

Piotr

chiefair · ‎11-08-2015

You got hit with a crypto extortion scheme. File encrypting ransomware hits Linux

We recently updated magento with all patches apart last one SUPEE-6788.

If that "recently" is in the last month or two, your website has been vulnerable to attack for quite some time now.

The initial attack on the "ShopLift" bug was a massive injection of an admin account with a predetermined password which allowed full access to Magento's backend, often with the installation of MagePleasure file management software being the first and only thing that was done. Other patched vulnerabilities included a CMS flaw that allowed for unrestricted file creation on the server.

Website has been attacked.

Website has been attacked.

Re: Website has been attacked.