Update: Cardbleed has infected around 3000+ Magento 1 stores so far in 2021 (More than 3% of total install base)
Table of Contents [TOC]
Due to the increasing popularity of Magento online stores, the platform is grabbing attention from hackers. In the past, the platform has been the subject of widespread attacks on several occasions.
Is your Magento site hacked? In this post, you will learn more about how to identify & fix your hacked magento site and remove malware from magento store. Know more about magento hack examples, causes & prevention steps for a secure Magento site.
Overall ,there is an increase in the number of attacks on online stores, with some hacker groups specializing in spamming or skimming websites. It is a technique for injecting malicious scripts into computers to retrieve credit card codes.
SQL injection vulnerabilities make it possible to inject data into or read information from databases. Even though this particular flaw cannot be used to directly infect a website, it can give attackers access to accounts on a site. This access can then be used to exploit one of the other privilege escalation or remote code execution flaws fixed by the update that requires authentication.
“Unauthenticated attacks, like the one seen in this particular SQL injection vulnerability, are very serious because they can be automated, so hackers can easily conduct and succeed widespread attacks against vulnerable websites,” security researchers warn. “The number of active installations, the ease of operation, and the consequences of a successful attack make this vulnerability dangerous.”
Stay ahead of eCommerce hacks,
Protect your store today! Contact Us Here
Before moving further, Dont forget to check out our guides on
Fix Woocommerce Hacked | Fix Drupal Site Hacked | Fix Hacked WordPress | Fix Prestashop Hacked | Fix Shopify Hacked – Fix Hacked Joomla Website
It was noticed that the Magento 2 stores happen to be victimized from a hacking scandal. In this scandal criminals exploited the risk of being injected with the “tried-and-tested” SQL injection at the Magento CMS.
The Magneto team came up with the solution as soon as the news broke out, but that doesn’t mean your Magento 2 store is entirely safeguarded by hackers.
The attack targeted, including the SQL Injection process utilized this time to access the Magento admin panel, which helped the attackers to take over the store and all stored data. The information which is provided is often used for future attacks or for sale on the dark web.
There was no previous history as evidence of security hacks in many online stores. This suggests that a new attack method is used to gain server access in all these victimized stores. Since the investigation is still going on to catch the vector, The exploitation method of “remote code execution” has been proclaimed on the hacking forum to sell Magento 1 by user named z3r0day, “including a tutorial video, for $ 5000. Allegedly, no prior Magento admin account is required for the same.
Seller z3r0day demanded and emphasized that since Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, the store owners who consume this legacy platform might have to face the damage
The 10 copies of malicious exploitation were promised by the seller named z3r0day for the betterment of the deal.
The users of Magento are generally targeted simultaneously. The site administrator may not be a security expert. Therefore, to fix hacked Magento stores the respective developers can take help by using public forums and can get access through.
It’s important to understand the capable impact of a weak and fragile security policy than be sorry later. We proceed to begin with a list of potential cyber-attacks on small business sites and online merchants to avoid any further mishap.
Ransomware is malicious software that infects your computer and displays messages asking you to pay a certain amount to get your system back to work. This category of malware is a lucrative and criminal scam that can be installed by clicking on deceptive links in an email, instant messaging, or a website.
Ransomware has the ability to lock a computer screen or encrypt important, predefined files with a password. Various kinds of ransomware are floating on the web and wordpress sites are major targets of ransomware.
Phishing is one of the oldest and most well-known scams on the internet. It can be defined as any type of telecommunications fraud that uses social engineering tricks to obtain confidential data from its victims.
Whether carried out via email, social media, SMS, or any other means, all phishing attacks follow the same basic principles. The attacker sends a targeted pitch aimed at persuading the victim to click on a link, download an attachment, send the required information or even make a payment.
A DDoS attack (Distributed Denial of Service) or in French “attack by denial of service” is a computer attack consisting of targeting a computer system by flooding it with incoming messages or connection requests in order to cause a denial of service.
The initials DDoS denote the term Distributed Denial of Service. In French, we talk about a denial of service attack. This is a computer attack-type of DOS (Denial Attack on Service) of attacking a computer system using a large number of hijacked computer systems (or intentionally used).
Also Read – Whats is a brute force attack on website & how to prevent it
If hackers manage to get into the admin panel, they gain direct access to confidential information stored there, posing critical financial and identity theft risks for customers. Having assumed the administrator privileges, they obtain an illicit control over the operation of the store and can interfere in the management of the catalog, prices, promotions, communication with the client, etc.
By hacking into your site, hackers can insert malicious code that redirects visitors to phishing or malware sites. They can also lure visitors to malicious redirects through spam emails. Redirecting a user to a page with the intention of displaying content other than that which the search engine crawler can access is against Google’s guidelines for webmasters
However, it is marked by dire consequences for e-commerce businesses such as loss of SEO ranking, loss of customer trust and damaged reputation.
SPAM (S ending and P osting A dvertisement in M ass) are electronic messages that have not been requested by the recipients of the mail, sent to a large number of people. It is the sending of mass advertisements.
In general, advertisements are the most well-known SPAM and email is the most common way to send them. But this practice doesn’t just happen in the business environment.
Message strings, those which induce the user to pass them on to a certain number of people, messages which invite the person to provide their personal or financial data, are also considered as SPAM.
Cybercriminals can also jeopardize the reputation of a company by injecting spam links in a website also known as SEO spam, they can also hack its mail server and send spam emails on its behalf.
We have cited one example to clarify how a SQL injection attack takes place. This is an actual case that happened in the Magento shoplift attack in 2015.
In this attack, the target URL to which malicious requests were made was something like this:
http://www.example.com/index.php/admin/Cms_Wysiwyg/directive/index/
This happened because of a parsing error. All values entered in the filter key i.e. (“filter”:malicious_value) were wrongly parsed. Further, the attackers used base64 encoding to evade detection. Attackers, basically, inserted SQL statements as a value to the filter key and it was parsed.
On decoding the above request, the outcome looked something like this:
Here, the first few SQL statements are setting a new password using an attacker chosen salt. Thereafter, the next group of SQL statements is inserting a new admin_user to the database. And the final few SQL statements are leveraging the role to admin. Therefore, the attackers have created a new user admin with username=”ypwq“, password=”123“. The full exploit is publicly available on GitHub.
In a Magento XSS attack, attackers inject malicious JavaScript codes into various web pages for the Magento store. It arises from weak or non-existent Sanitization & Validation rules. This attack mainly targets the stored cookies and session details of users.
Usually, the motive behind this attack is to steal session details of either users or admin. As the session details also contain login credentials for that user, it can be used to log into your store unauthentically.
Effects
Example
An XSS vulnerability was discovered in Magento version 1.9.0.1. The files containing the vulnerable element were:
The cause for XSS was that the FlashVar parameter “bridgeName” was being passed to the ExternalInterface.call method without proper sanitation. As a result, it was possible to pass a malicious JavaScript code through the bridgeName parameter. Therefore, this malicious JS code runs whenever the page loads. The complete payload looked like:
http://example.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1%22]%29%29;alert
A Magento CSRF attack is basically executing forged requests on behalf of an end-user, without the knowledge of the user. Generally, a CSRF attack is accompanied by social engineering. So, a hacker might send malicious links to the targeted user (usually admin) via mail. The motive behind these links is to execute functions on behalf of the user.
Effects
Examples
A severe CSRF bug was found in Magento 1 which allowed remote attackers to inject script code to the application-side of the affected service module for execution. The component vulnerable to this was the ‘filename‘ parameter of the image upload module.
The attackers used POST requests from the application-side to successfully conduct this attack. However, in order to exploit its, the attacker needed a low privileged web-application user account and low or medium user interaction. The code snippet of the vulnerable script is given below.
Here, attackers manipulated the ‘to‘ and parent_message_id parameters due to a lack of proper checks and balances. Using these the attacker could send a message to any other user without his/her consent. Moreover, it also gave an attacker other abilities to manipulate content on a Magento hacked store.
Magento Community and Enterprise editions before 2.0.10/2.1.2 also suffered from two CSRF bugs.
A Magento code execution is a type of attack that allows an attacker to insert malicious code into your website. This attack can –
Effect
Examples
Magento CE and EE before 2.0.10/2.1.2 were vulnerable to Remote code execution. This was dubbed as APPSEC-1484 and had a severity rating of 9.8 (critical). The cause of the vulnerability was that some payment methods allowed users to execute malicious PHP code during verification. The exploit, along with the Metasploit module for this vulnerability, has already been released.
There are free online tools you can use to scan your Magento installation remotely. These can help you identify credit card swipers, malicious payloads, intermediary domains, and other security issues.
To scan Magento for malware and security issues:
Cross-site contamination is one of the most leading causes of reinfection so we advocate scanning all the websites on the server. We also promote every website owner to separate their hosting platform, SFTP / FTP accounts, and SSH account to be on a safer side.
The database and core files of the users can be hacked by the hackers by injecting the code in it with the help of your Magento website. Therefore, it is extremely essential for you to look for the most unusual recent changes in these files to safeguard your Magento website. To prevent the cause, you can run a command or use a different test tool. However, to make things more convenient for you I will list both methods down below so that you can get info effortlessly.
For the command line to work, it is crucial for you to primarily download the clean and authentic version of your Magento store. You can effortlessly download it from the official Magento website or GitHub. To see any anomalies of these two copies you can see the following instructions.
Note: here Magento 2.2.5. is used as a clean file and your current installation is displayed with the public_html folder.
In the case of SQL injections, attackers often enter code in a format that is not readable by humans. In addition, the Base64 format is easily accessible to attackers. To find a base64 code in your files, run a command:
find . -name “* .php” -exec grep “base64″‘{}’; -print &> hiddencode.txt
This command would scan the lines of the written base64 eth encoded code. And save it in hiddencode.txt. You can still decode this by using online tools for further analysis.
However, tools like phpMyAdmin can help with the spam attack. Magento spam attack includes gibberish injected into all hacked Magento pages. Needless to say, it is very difficult to detect and eliminate the attack. Therefore, we recommend that you use phpMyAdmin to search for malicious code on multiple pages at a time.
Search malicious code from phpMyAdmin inner pages.
The hack can also include any of your new or recently modified files on your server. Your Magento file system should be completely secured and also it should be thoroughly tested for malware injections for advanced protection.
One can get the versions of Magento 1.x and Magento 2.x on GitHub. While you make use of the SSH terminal, you can download your local Magento as well. The instructions of the clean files and public HTML which are the examples of Magento version 2.1.3, where your Magento installation is available on the server.
To check the integrity of a basic file with SSH commands:
In the final diff command, you can compare the clean files of Magento with your installation. The report of the additional modules which you have added will be shown by the output, and these can be compared to the best-known files in the same way. But be sure to delete the known files from your server.
To check the integrity of the Magento core file you can utilize the free tool which is developed by Amasty. While doing this be very conscious not to remove clips or modules that have been flagged as false positive. The tool only checks the most important folders, so it is necessary to proceed with the other steps in this guide systematically.
To Manually check recently modified files:
Hackers often create malicious user accounts on Magento sites that have been compromised. Check all your user accounts, especially Magento administrators.
To find malicious users in Magento:
If you are comfortable analyzing your server logs, just look for requests in the Administrator area. User accounts that are logged in from suspicious time zones or geographic areas can be compromised. You can also use the Amasty Admin-Actions Log plugin (free trial) which integrates all admin actions throughout your Magento installation (especially useful in department stores with multiple admin users).
If your website is blocked by Google or other website security authorities, you can use their testing tools to check the security status of your Magento site.
To check your Google transparency report:
On this page you can check:
You should also check to see if customers have reported fraudulent purchases right after ordering something from your site. This can tell you if your site is infected with a credit card swiper or not.
If any of the scanners or diagnostic pages above shows malicious domains or paid downloads, you can first search for these files on your Magento web server. Comparing infected files with known good files (from official sources or from reliable clean backups) can help you identify and remove malicious changes.
When comparing your files with a good copy, make sure you are using the same version of your Magento core files and extensions, including any fixes applied.
To manually remove a malware infection from your Magento files:
If you can’t find the malicious content, try searching the web for any spam, payloads, or malicious domain names that you found in the first step. Chances are that another Magento user has already figured out how those pieces are involved in the hack you are attempting to clean.
It is advisable to reinstall all extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated themes, components, modules, or plugins, we recommend you to remove them from the web server.
fwrite file_put_contents FILE_APPEND mail( file_get_contents curl script (including an external file) http.open http.send this[“eval”]li>
Magento eCommerce and Magento Open Source users are encouraged to update to newer versions 2.3.1, 2.2.8 and 2.1.17, depending on the edition used. To quickly protect their sites without deploying the full update, users also have the option of manually applying the fix for the SQL injection fault (PRODSECBUG-2198).
However, the prompt application of the full update is highly recommended. According to experts, site administrators should also monitor their access logs for occurrences in ention
As Magento experts, we receive many requests from Magento eCommerce owners who need to prevent their stores from being hacked by putting their users’ data at risk.
This is the situation: security concerns will always be present, so we want to share with you a set of audits and the most important steps you must take to protect your online store from pirate attacks.
Here we list the ways through which online store owners, marketing managers, e-commerce managers, etc. they can implement essential security measures in Magento.
Keep the software fully up to date and apply ALL recommended security patches. Magento releases fix in the form of patches regularly, so we recommend that you check if the latest patches are installed on your system.
Yes Disable FTP and use only secure communications (SSH / SFTP / HTTPS) to manage files. The reason it is advisable to do so is that FTP transmits data in plain text, which means that sensitive information such as usernames and passwords of users can be easily obtained.
If you are using a server other than the Apache web server, make sure that all files and directories on the system are protected.
Allow only whitelisted IP addresses to access the admin panel and implement two-factor authentication for administrator logins. This will provide additional security as it requires an additional access code that is generated on your phone.
Regularly update your antivirus software and use a malware scanner to secure the computer you use to access the Magento Admin Panel.
Also, to ensure a secure server operating system, make sure no unnecessary software is running on the server.
To reduce exposure to scripts that might try to enter through your admin URL, use a unique admin URL that cannot be easily guessed.
Use a unique and strong pasword for the Magento administrator account. You should NEVER use simple passwords for the Magento administrator (dates of birth, first names, last names, etc.) and about once a month, change your passwords. Lastly, do not share your password with third parties. If it is necessary to provide access to the developers, create a separate user for them and remove it after the job is complete.
Check admin users regularly to make sure only the right people have access to the store admin panel. This may be a good time to remove/delete old users.
It is important that you verify the permissions properly to avoid any unsolicited access to your Magento e-commerce. This check ensures that all user groups only have the intended access rights.
We advise you to adhere to the Magento security-related configuration settings for Administrator Security, Password Options and CAPTCHA.
Update to the latest version of Magento to enjoy the latest security enhancements. If not, install all the security patches recommended by Magento.
Finally, some Magento extensions are not necessary or their creators no longer maintain them and therefore have vulnerabilities. It is important to review your list of plugins and check if they are up to date. This helps remove abandoned extensions and uninstall them.
if your online store is not available or is blocked by the hosting service or it shows an error message as “This Account Has Been Suspended” it is possible that you have been the victim of a denial of service type attack. This type of attack disrupts your online presence but does not threaten the security of your data.
If you discover that there is a new user with administrator rights that you have not created, you notice some changes made to the content of your store, or you cannot log in, you could be suffering a critically dangerous attack in your online store (atta
The hacked redirect attack aims to capture your online store traffic and expose your customers to malware, phishing attacks, or ad spam. If you notice that your store does not appear in search engines or is redirected to unsolicited pages, take action, because it is possible that your eCommerce has been hacked.
Checks if unauthorized admin users have been created. You can monitor these actions in the administrative action log.
Verify the integrity of the file data on the server to avoid possible malware installation.
Monitors all system logins (FTP, SFTP, SSH) for unexpected activity, uploads, or commands.
Using custom and commercial tools, your Magento solution can be scanned for malware. It is important to analyze not only the Magento store itself and the cross-system integrations as the attack could have affected them as well.
Even if you have strictly enforced all security measures, create a business continuity/recovery plan, just in case you have to deal with the worst-case scenario. It is essential to have a backup of all the information in your Magento online store. This will help you to restore your eCommerce in case of data loss.
Make sure there are existing backups of the database and server files in an external location. Make sure these backups are successful and can be restored.
In the event of an attack, no matter how small, it resets all credentials, including those for the database, file access, payment gateway encryption keys, web services, and the administrator login of Magento, FTP, SSH, etc.