How To Fix Hacked Magento & Malware Removal?

Updated on

Magento Hacked - How To Fix hacked magento site

Magento Hacked – Malware Removal

Due to the increasing popularity of Magento online stores, the platform is grabbing attention from  hackers. In the past, the platform has been the subject of widespread attacks on several occasions.

Is your Magento site hacked? In this post, you will learn more about how to identify & fix your hacked magento site and remove malware from magento store. Know more about magento hack examples, causes & prevention steps for a secure Magento site.

Overall ,there is an increase in the number of attacks on online stores, with some hacker groups specializing in spamming or skimming websites. It is a technique for injecting malicious scripts into computers to retrieve credit card codes.

SQL injection vulnerabilities make it possible to inject data into or read information from databases. Even though this particular flaw cannot be used to directly infect a website, it can give attackers access to accounts on a site. This access can then be used to exploit one of the other privilege escalation or remote code execution flaws fixed by the update that requires authentication.

“Unauthenticated attacks, like the one seen in this particular SQL injection vulnerability, are very serious because they can be automated, so hackers can easily conduct and succeed widespread attacks against vulnerable websites,” security researchers warn. “The number of active installations, the ease of operation, and the consequences of a successful attack make this vulnerability dangerous.”


Before moving further, Dont forget to check out our guides on

Fix Woocommerce Hacked   |   Fix Drupal Site Hacked    |   Fix Hacked WordPress   |   Fix Prestashop Hacked    |    Fix Shopify Hacked


The Scenario

It was noticed that the Magento 2 stores happen to be victimized from a hacking scandal. In this scandal criminals exploited the risk of being injected with the “tried-and-tested” SQL injection at the Magento CMS.

The Magneto team came up with the solution as soon as the news broke out, but that doesn’t mean your Magento 2 store is entirely safeguarded by hackers.

The attack targeted, including the SQL Injection process utilized this time to access the Magento admin panel, which helped the attackers to take over the store and all stored data. The information which is provided is often used for future attacks or for sale on the dark web.

Magento Hacked: Examples

Magento Exploit for $5000

There was no previous history as evidence of security hacks in many online stores. This suggests that a new attack method is used to gain server access in all these victimized stores. Since the investigation is still going on to catch the vector, The exploitation method of “remote code execution” has been proclaimed on the hacking forum to sell Magento 1 by user named z3r0day, “including a tutorial video, for $ 5000. Allegedly, no prior Magento admin account is required for the same.

Seller z3r0day demanded and emphasized that since Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, the store owners who consume this legacy platform might have to face the damage

The 10 copies of malicious exploitation were promised by the seller named z3r0day for the betterment of the deal.

Magento Site Hacked

The users of Magento are generally targeted simultaneously.  The site administrator may not be a security expert. Therefore, to fix hacked Magento stores the respective developers can take help by using public forums and can get access through.

secure a hacked magento site

Magento Hacked Store Outcomes

It’s important to understand the capable impact of a weak and fragile security policy than be sorry later.  We proceed to begin with a list of potential cyber-attacks on small business sites and online merchants to avoid any further mishap.

How hackers approach Magento sites

Ransomware 

Ransomware is malicious software that infects your computer and displays messages asking you to pay a certain amount to get your system back to work. This category of malware is a lucrative and criminal scam that can be installed by clicking on deceptive links in an email, instant messaging, or a website.

Ransomware has the ability to lock a computer screen or encrypt important, predefined files with a password. Various kinds of ransomware are floating on the web and wordpress sites are major targets of ransomware.

Phishing

Phishing is one of the oldest and most well-known scams on the internet. It can be defined as any type of telecommunications fraud that uses social engineering tricks to obtain confidential data from its victims.

Whether carried out via email, social media, SMS, or any other means, all phishing attacks follow the same basic principles. The attacker sends a targeted pitch aimed at persuading the victim to click on a link, download an attachment, send the required information or even make a payment.

DoS attacks

A DDoS attack (Distributed Denial of Service) or in French “attack by denial of service” is a computer attack consisting of targeting a computer system by flooding it with incoming messages or connection requests in order to cause a denial of service.

The initials DDoS denote the term Distributed Denial of Service. In French, we talk about a denial of service attack. This is a computer attack-type of DOS (Denial Attack on Service) of attacking a computer system using a large number of hijacked computer systems (or intentionally used).

Also ReadWhats is a brute force attack on website & how to prevent it

Hack an eCommerce Admin Panel

If hackers manage to get into the admin panel, they gain direct access to confidential information stored there, posing critical financial and identity theft risks for customers. Having assumed the administrator privileges, they obtain an illicit control over the operation of the store and can interfere in the management of the catalog, prices, promotions, communication with the client, etc.

Malicious Redirects

By hacking into your site, hackers can insert malicious code that redirects visitors to phishing or malware sites. They can also lure visitors to malicious redirects through spam emails. Redirecting a user to a page with the intention of displaying content other than that which the search engine crawler can access is against Google’s guidelines for webmasters

However, it is marked by dire consequences for e-commerce businesses such as loss of SEO ranking, loss of customer trust and damaged reputation.

Spamming

SPAM (S ending and P osting A dvertisement in M ass) are electronic messages that have not been requested by the recipients of the mail, sent to a large number of people. It is the sending of mass advertisements.

In general, advertisements are the most well-known SPAM and email is the most common way to send them. But this practice doesn’t just happen in the business environment.

Message strings, those which induce the user to pass them on to a certain number of people, messages which invite the person to provide their personal or financial data, are also considered as SPAM.

Cybercriminals can also jeopardize the reputation of a company by injecting spam links in a website also known as SEO spam, they can also hack its mail server and send spam emails on its behalf.

Hacked Magento – Symptoms & Consequence

  1. Lower user traffic and Magento store revenue.
  2. Negative effect on the SEO of the website.
  3. Users refrain from visiting your Magento store due to a lack of trust.
  4. Blacklist warnings by Google, Bing, McAfee, etc.
  5. Customer’s concerns about strange credit card activity.
  6. Loss of sales or abnormal behavior of the payment page.
  7. Spam keywords in product listings and SERPs.
  8. The host suspends your store for malicious activity.
  9. File modifications or Magento core integrity issues.
  10. New or unknown administrator users in the Magento backend.
  11. Site data can be sold on onion sites to competitors.
  12. Theft of sensitive data in the store via phishing or javascript pages.
  13. Damaged admin panel or blank screen after login
  14. Magento store slows down and displays error messages
  15. New unauthorized administrators appear in the login database
  16. Google displaying spam or other language keywords/pages in SERP listing([Read – Japanese keywords hack & pharma hack]
  17. Google ads disapproved due to malware on your hacked magento site

Magento Site Hacked: Causes

We have cited one example to clarify how a SQL injection attack takes place. This is an actual case that happened in the Magento shoplift attack in 2015.

In this attack, the target URL to which malicious requests were made was something like this:

http://www.example.com/index.php/admin/Cms_Wysiwyg/directive/index/

This happened because of a parsing error. All values entered in the filter key i.e. (“filter”:malicious_value) were wrongly parsed. Further, the attackers used base64 encoding to evade detection. Attackers, basically, inserted SQL statements as a value to the filter key and it was parsed.

how to recover a hacked magento shop

Final Encoded Payload in Magento SQLi Attack

On decoding the above request, the outcome looked something like this:

  • popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);
  • SET @SALT = ‘rp’;
  • SET @PASS = CONCAT(MD5(CONCAT( @SALT , ‘asdf’) ), CONCAT(‘:’, @SALT ));
  • SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
  • INSERT INTO `admin_user` (`firstname`,`lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES (‘Firstname’,’Lastname’,’email@example.com’,’sadmin’,@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
  • INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,’U’,(SELECT user_id FROM admin_user WHERE username = ‘sadmin’),’Firstname’);

Here, the first few SQL statements are setting a new password using an attacker chosen salt. Thereafter, the next group of SQL statements is inserting a new admin_user to the database. And the final few SQL statements are leveraging the role to admin. Therefore, the attackers have created a new user admin with username=”ypwq“, password=”123“. The full exploit is publicly available on GitHub.

Magento Hacked: Magento XSS

In a Magento XSS attack, attackers inject malicious JavaScript codes into various web pages for the Magento store. It arises from weak or non-existent Sanitization & Validation rules. This attack mainly targets the stored cookies and session details of users.

Usually, the motive behind this attack is to steal session details of either users or admin. As the session details also contain login credentials for that user, it can be used to log into your store unauthentically.

Effects

  • Theft of Cookie/session details
  • Unauthenticated access to the hacker
  • Hackers can read important data like CSRF tokens
  • Make requests as an imposter of the user

Example

An XSS vulnerability was discovered in Magento version 1.9.0.1. The files containing the vulnerable element were:

The cause for XSS was that the FlashVar parameter “bridgeName” was being passed to the ExternalInterface.call method without proper sanitation. As a result, it was possible to pass a malicious JavaScript code through the bridgeName parameter. Therefore, this malicious JS code runs whenever the page loads. The complete payload looked like:

http://example.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1%22]%29%29;alert

Magento Hacked: Magento Cross-site Request Forgery

A Magento CSRF attack is basically executing forged requests on behalf of an end-user, without the knowledge of the user. Generally, a CSRF attack is accompanied by social engineering. So, a hacker might send malicious links to the targeted user (usually admin) via mail. The motive behind these links is to execute functions on behalf of the user.

Effects

  • The attacker may delete your account.
  • He may use your credit card
  • Making use of the bank account details, an attacker may transfer funds from the victim’s bank account to his own
  • He may order illegally from your Magento store without paying or by manipulating prices

Examples

A severe CSRF bug was found in Magento 1 which allowed remote attackers to inject script code to the application-side of the affected service module for execution. The component vulnerable to this was the ‘filename‘ parameter of the image upload module.

The attackers used POST requests from the application-side to successfully conduct this attack. However, in order to exploit its, the attacker needed a low privileged web-application user account and low or medium user interaction. The code snippet of the vulnerable script is given below.

hacked magento website

Vulnerable Script

Here, attackers manipulated the ‘to‘ and parent_message_id parameters due to a lack of proper checks and balances. Using these the attacker could send a message to any other user without his/her consent. Moreover, it also gave an attacker other abilities to manipulate content on a Magento hacked store.

Magento Community and Enterprise editions before 2.0.10/2.1.2 also suffered from two CSRF bugs.

  • APPSEC-1212: Magento failed to validate the anti-CSRF token when removing items from the mini cart through a GET request. Therefore, an attacker could use this vulnerability to remove items from shopping cart through phishing and other tricks.
  • APPSEC-1433: This was a more severe CSRF vulnerability. Exploiting this, the attacker could delete any address on the store because due to the lack of anti-CSRF token or Referer header validation.

Magento Hacked: Magento Remote Code Execution

A Magento code execution is a type of attack that allows an attacker to insert malicious code into your website. This attack can –

Effect

  • Attackers can compromise your website and the webserver.
  • He can view, change & delete files and databases.

Examples

Magento CE and EE before 2.0.10/2.1.2 were vulnerable to Remote code execution. This was dubbed as APPSEC-1484 and had a severity rating of 9.8 (critical). The cause of the vulnerability was that some payment methods allowed users to execute malicious PHP code during verification. The exploit, along with the Metasploit module for this vulnerability, has already been released.

Magento Hacked: Other Causes

  • Weak or hard-coded credentials.
  • LFI, RFI, OWASP top 10, etc.
  • Outdated versions.
  • Server misconfigurations like open ports etc.
  • Poor hosting without subnets.

How to Clean & Secure Hacked Magento Site

Magento security scan

There are free online tools you can use to scan your Magento installation remotely. These can help you identify credit card swipers, malicious payloads, intermediary domains, and other security issues.

To scan Magento for malware and security issues:

  • Click Scan Website.
  • Note any blacklist warnings.
  • Visit the SiteCheck website.
  • Enter your Magento website URL.
  • Scan all other websites being hosted on the same server.
  • If the site is infected, a warning message will display.
  • Note any payloads and locations (if available).

Cross-site contamination is one of the most leading causes of reinfection so we advocate scanning all the websites on the server. We also promote every website owner to separate their hosting platform, SFTP / FTP accounts, and SSH account to be on a safer side.

Scan Core Files

The database and core files of the users can be hacked by the hackers by injecting the code in it with the help of your Magento website. Therefore, it is extremely essential for you to look for the most unusual recent changes in these files to safeguard your Magento website. To prevent the cause,  you can run a command or use a different test tool. However, to make things more convenient for you I will list both methods down below so that you can get info effortlessly.

Using the SSh Command Line:

For the command line to work, it is crucial for you to primarily download the clean and authentic version of your Magento store. You can effortlessly download it from the official Magento website or GitHub. To see any anomalies of these two copies you can see the following instructions.

Note: here Magento 2.2.5. is used as a clean file and your current installation is displayed with the public_html folder.

Hunt for Malware

In the case of SQL injections, attackers often enter code in a format that is not readable by humans. In addition, the Base64 format is easily accessible to attackers. To find a base64 code in your files, run a command:

find . -name “* .php” -exec grep “base64″‘{}’; -print &> hiddencode.txt

This command would scan the lines of the written base64 eth encoded code. And save it in hiddencode.txt. You can still decode this by using online tools for further analysis.

However, tools like phpMyAdmin can help with the spam attack. Magento spam attack includes gibberish injected into all hacked Magento pages. Needless to say, it is very difficult to detect and eliminate the attack. Therefore, we recommend that you use phpMyAdmin to search for malicious code on multiple pages at a time.

magento marketplace hacked

Search malicious code from phpMyAdmin inner pages.

Check Core File Integrity

The hack can also include any of your new or recently modified files on your server. Your Magento file system should be completely secured and also it should be thoroughly tested for malware injections for advanced protection.

One can get the versions of  Magento 1.x and Magento 2.x on GitHub. While you make use of the SSH terminal, you can download your local Magento as well. The instructions of the clean files and public HTML which are the examples of Magento version 2.1.3, where your Magento installation is available on the server.

To check the integrity of a basic file with SSH commands:

In the final diff command, you can compare the clean files of Magento with your installation. The report of the additional modules which you have added will be shown by the output, and these can be compared to the best-known files in the same way. But be sure to delete the known files from your server.

To check the integrity of the Magento core file you can utilize the free tool which is developed by Amasty. While doing this be very conscious not to remove clips or modules that have been flagged as false positive. The tool only checks the most important folders, so it is necessary to proceed with the other steps in this guide systematically.

To Manually check recently modified files:

  • Log in to your Magento web server.
  • If you are using SSH, you can list all modified files in the last 15 days using this command:
  • $ find ./ -type f -mtime -15
  • If using SFTP, review and note the recently modified column of all files on the server.
  • Unusual changes in the last 7-30 days or maybe suspicious and require further investigation.

Audit User Logs

Hackers often create malicious user accounts on Magento sites that have been compromised. Check all your user accounts, especially Magento administrators.

To find malicious users in Magento:

  • Log in to the Magento admin panel.
  • Click on System in the menu item and under Permissions select Users or All Users.
  • Check listings, especially those with an unusual or recent ID number.
  • Delete all unusual users who are completely unknown to you and which may have been created by hackers.

magento marketplace vulnerability

Hacked Admin

magento marketplace suffers data breach

If you are comfortable analyzing your server logs, just look for requests in the Administrator area. User accounts that are logged in from suspicious time zones or geographic areas can be compromised. You can also use the Amasty Admin-Actions Log plugin (free trial) which integrates all admin actions throughout your Magento installation (especially useful in department stores with multiple admin users).

Check Reports

If your website is blocked by Google or other website security authorities, you can use their testing tools to check the security status of your Magento site.

To check your Google transparency report:

  • Visit the Safe Browsing Status website.
  • Enter your site URL and click the search icon.

On this page you can check:

  • Site Security Details: Details about malicious redirect, spam, and downloads.
  • Test Details: The latest Google scan with detected malware.

Magento Marketplace site hacked

Sample Scan Results

You should also check to see if customers have reported fraudulent purchases right after ordering something from your site. This can tell you if your site is infected with a credit card swiper or not.

Clean Hacked Website Files

If any of the scanners or diagnostic pages above shows malicious domains or paid downloads, you can first search for these files on your Magento web server. Comparing infected files with known good files (from official sources or from reliable clean backups) can help you identify and remove malicious changes.

When comparing your files with a good copy, make sure you are using the same version of your Magento core files and extensions, including any fixes applied.

To manually remove a malware infection from your Magento files:

  • Log into your server via SFTP or SSH.
  • Create a backup of the site files before making changes.
  • Search your files for reference to malicious domains or payloads noted.
  • Identify recently changed files and confirm whether they are legitimate.
  • Review files flagged by the diff command during the core file integrity check.
  • Restore or compare suspicious files with clean backups or official sources.
  • Remove any suspicious or unfamiliar code from your custom files.
  • Test to verify the site is still operational after changes.

If you can’t find the malicious content, try searching the web for any spam, payloads, or malicious domain names that you found in the first step. Chances are that another Magento user has already figured out how those pieces are involved in the hack you are attempting to clean.

It is advisable to reinstall all extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated themes, components, modules, or plugins, we recommend you to remove them from the web server.

fwrite

file_put_contents

FILE_APPEND

mail(

file_get_contents

curl

script (including an external file)

http.open

http.send

this[“eval”]li>

Update Magento Without Delay

Magento eCommerce and Magento Open Source users are encouraged to update to newer versions 2.3.1, 2.2.8 and 2.1.17, depending on the edition used. To quickly protect their sites without deploying the full update, users also have the option of manually applying the fix for the SQL injection fault (PRODSECBUG-2198).

However, the prompt application of the full update is highly recommended. According to experts, site administrators should also monitor their access logs for occurrences in ention

As Magento experts, we receive many requests from Magento eCommerce owners who need to prevent their stores from being hacked by putting their users’ data at risk.

This is the situation: security concerns will always be present, so we want to share with you a set of audits and the most important steps you must take to protect your online store from pirate attacks.

Here we list the ways through which online store owners, marketing managers, e-commerce managers, etc. they can implement essential security measures in Magento.

SAFE ENVIRONMENT

Keep the software fully up to date and apply ALL recommended security patches. Magento releases fix in the form of patches regularly, so we recommend that you check if the latest patches are installed on your system.

Disable FTP 

Yes Disable FTP and use only secure communications (SSH / SFTP / HTTPS) to manage files. The reason it is advisable to do so is that FTP transmits data in plain text, which means that sensitive information such as usernames and passwords of users can be easily obtained.

If you are using a server other than the Apache web server, make sure that all files and directories on the system are protected.

Add Two-factor authentication

Allow only whitelisted IP addresses to access the admin panel and implement two-factor authentication for administrator logins. This will provide additional security as it requires an additional access code that is generated on your phone.

Regularly update your antivirus software and use a malware scanner to secure the computer you use to access the Magento Admin Panel.

Also, to ensure a secure server operating system, make sure no unnecessary software is running on the server.

Use a unique admin URL

To reduce exposure to scripts that might try to enter through your admin URL, use a unique admin URL that cannot be easily guessed.

Use a strong password

Use a unique and strong pasword for the Magento administrator account. You should NEVER use simple passwords for the Magento administrator (dates of birth, first names, last names, etc.) and about once a month, change your passwords. Lastly, do not share your password with third parties. If it is necessary to provide access to the developers, create a separate user for them and remove it after the job is complete.

User permissions check

Check admin users regularly to make sure only the right people have access to the store admin panel. This may be a good time to remove/delete old users.

It is important that you verify the permissions properly to avoid any unsolicited access to your Magento e-commerce. This check ensures that all user groups only have the intended access rights.

We advise you to adhere to the Magento security-related configuration settings for Administrator Security, Password Options and CAPTCHA.

Fixes and patches installation

Update to the latest version of Magento to enjoy the latest security enhancements. If not, install all the security patches recommended by Magento.

Magento extensions

Finally, some Magento extensions are not necessary or their creators no longer maintain them and therefore have vulnerabilities. It is important to review your list of plugins and check if they are up to date. This helps remove abandoned extensions and uninstall them.

Ecommerce not available

if your online store is not available or is blocked by the hosting service or it shows an error message as “This Account Has Been Suspended” it is possible that you have been the victim of a denial of service type attack. This type of attack disrupts your online presence but does not threaten the security of your data.

Look out for Magento Admin panel problems

If you discover that there is a new user with administrator rights that you have not created, you notice some changes made to the content of your store, or you cannot log in, you could be suffering a critically dangerous attack in your online store (atta

The hacked redirect attack aims to capture your online store traffic and expose your customers to malware, phishing attacks, or ad spam. If you notice that your store does not appear in search engines or is redirected to unsolicited pages, take action, because it is possible that your eCommerce has been hacked.

Periodically review the server logs for any suspicious activity

Checks if unauthorized admin users have been created. You can monitor these actions in the administrative action log.

Verify the integrity of the file data on the server to avoid possible malware installation.

Monitors all system logins (FTP, SFTP, SSH) for unexpected activity, uploads, or commands.

Magento malware scanning

Using custom and commercial tools, your Magento solution can be scanned for malware. It is important to analyze not only the Magento store itself and the cross-system integrations as the attack could have affected them as well.

DEVELOP A RECOVERY PLAN

Even if you have strictly enforced all security measures, create a business continuity/recovery plan, just in case you have to deal with the worst-case scenario. It is essential to have a backup of all the information in your Magento online store. This will help you to restore your eCommerce in case of data loss.

Make sure there are existing backups of the database and server files in an external location. Make sure these backups are successful and can be restored.

In the event of an attack, no matter how small, it resets all credentials, including those for the database, file access, payment gateway encryption keys, web services, and the administrator login of Magento, FTP, SSH, etc.