Rooting Out Hacks
A sad truth of today’s world is that hacks happen – even to well-managed Magento sites. The best thing you can do to prevent a Magento site hack is to be ready. For your customer’s security, and your reputation, be watchful, and be prepared to take action as quickly as possible.
When hackers gain access to your Magento site, their primary target is to collect credit card information from your customers. If you’re using some of the older payment methods, it is very easy for the intruder to add code that will collect and save the card information. Yikes. Your first concern needs to be finding this code and removing it.
Since this added code is not visible on the site, the first indication that your site has been broken into may be that a customer contacts to tell you that their credit card has been “stolen” after buying something on your site. If this happens, you need to take it seriously and take action immediately to determine if your site has been hacked.
Best Practices
Include these “best practice” processes in your regular development to avoid Magento site hacks all together. Because while we’re happy to help get rid of the problem, it will save you, and your client, a lot of frustration to keep the hacker out to begin with.
- Stay up to date on Magento’s security patches, and install them as soon as they become available. Hackers know them, too and will be looking for vulnerable sites once patches are released.
- Remove any unused Magento Admin accounts
- Remove any unused modules and themes
- Update passwords regularly
- Use “hosted” payment methods, where the payments are processed remotely rather than on your Magento site
- Store your site’s source code in a source code repository (such as Git)
- Discuss with your team how you will respond to a hack and what everyone’s responsibilities are.
Scanning and Testing
There are security testing modules for Magento and websites that can automatically review your site to see if any known Magento site hacks or malicious code are detected. Though these tools can detect code updates, they will not find backdoors or modifications that are not well known. If you are not a programmer, these are the best tools to detect if your site has been hacked. But keep in mind that in most cases, you will still need to get a Magento Developer involved to find and remove the hacked files.
Magento security testing websites:
To determine if your site has been modified, you will need direct access to the code. This is usually done by logging into to a server’s command line and reviewing the source code itself. Since Magento has tens of thousands of files, it is not practical to review all the code manually. However, using tools such as code repositories and the grep tool, you can quickly pinpoint if there are changed files and where they are located in the file system.
If you are using a code repository, you should be able to quickly use it to find files that have been added or modified since the last commit. If you do not have a repository, or it is out of date, you can also use the command line ‘find’ tool to look for modified files. However, hackers will often modify the file’s timestamp to make it look much older than it really is, so this method is usually not very useful.
If you are not using a code repository, another option would be to obtain a clean copy of the same version of Magento that’s running on your site or check with your hosting provider to see if there is a recent backup. Put this code into a new directory on your server and use the diff command to compare the restored files with your site. Review any modified or added files, but be aware that official Magento patches may have modified the core code on your site, so this can be a tedious session of reading code.
Another place to look for added files is in the media directory. Since this directory is usually not tracked in the source code repository, any code added here will not show up as added or modified when tested. This is the place to use the ‘find’ command. Scan the media directory tree and look for any php files that have been added and review them to determine if they are malicious.
Finding Backdoors
Once a hacker has gained access to your site, they will often leave a “Backdoor” into the site. A back door can either be a piece of code that gives them access or it can be a new Magento admin user. To see if an admin user has been added, login to Magento’s admin and use the System menu to navigate to Permissions > Users to see all the registered admin accounts.
If you click on the ID header on the table you can sort the records from newest to oldest to see the recently added accounts. Review the list of admin accounts to see if there are any that may have been added.
It’s also possible that a back door or database access tool was added to the file system. This would allow the hacker to connect directly with the server and access it without modifying any Magento code. These files should be detected if you are using a code repository to test for added files.
Hacked Content
Sometimes hackers will modify the site’s content by updating CMS pages, blocks or the site’s header or footer.
You can check the header or footer in Magento’s admin by using System > Configuration menu and opening the Design menu. Look at the code in the “Miscellaneous Scripts” section of the HTML Head and Footer sections for added malicious JavaScript or links.
To check for CMS changes, in Magento’s admin use the CMS menu to view the pages and blocks. Sort the content items by most recently updated by clicking on the Last Modified header. If any items were updated recently, review the content for malicious JavaScript or links.
If the hacker updated the content directly in the database, then the CMS timestamp may not be changed. In this case, if you have direct access to the database, you can use SQL queries to look for malicious additions to the CMS data. If you don’t have access to run queries, then you would have to either review all of the site’s content manually, or use a scanning tool to detect malicious code.
Malware and Malicious Site Scanners
Review Web Server Logs
Once you have detected that a hacker has modified your site, it is important to review the web server’s log files for all the activity surrounding the attack. If you found a backdoor script, then search the web server log for any access to that script.
If the back door was accessed, then note the IP address and the date and time. Search the logs again for this IP address to collect all the intruder’s activity. You may be able to determine when the intrusion first started and how the hacker was able to access the site. This scan will also start to reveal if other back doors are present, if there was more than one attacker, and if they have returned to the site after the initial attack.
Any additional information that you can collect on the hacker will help law enforcement if they begin an investigation.
*Important Note:
If you do find your site has been hacked, before you remove any files or change any data, you must immediately take a backup of the site including the web server log files, the site code, and the Magento database.
This backup is an important tool which can be used to investigate the incident further if legally required to so.
Clean Up
Once the backup is complete, you can begin to remove the modified or added files. It is helpful to create a quarantine directory outside of your website’s file system or on your local computer to save copies of any files you are removing.
First, copy the malicious code files to the quarantine directory. Then, either from your code repository, backup or a clean version of Magento, copy the original files back into the proper locations on your site. Be very careful with this step! If you copy the files to the wrong places, you can break your site.
Remember to clear the Magento caches so that any modified code is removed from the cache as well. Also, if you are using the Magento compiler, you will need to recompile the code. Finally, if you are using combined JavaScript files, you will need to clear that cache as well.
Internal Reporting
It’s advisable to create an Incident Report. This helps to organize your response to a hacked site and will create a paper trail of actions your organization has taken to remedy the situation.
A great example of an Incident Report is maintained by Talesh Seeparsan and is available via his GitHub repository – https://github.com/talesh/response
Resources
- Magento Security Center – https://magento.com/security
- The Magento Security Council – https://magesec.org
- Mage Report – https://www.magereport.com
- Sucuri Site Check – https://sitecheck.sucuri.net