How to recover hacked Magento site
Table of Contents
There are main 2 reason to hack magento website.
1. Outdated Magento version.
2. Magento security patches missing. A hacked website loss trust on customer they will never do interactions on any hacked website. Generally in hacked website credit/debit card data stolen and misused. Customer may file litigation suites and you will be have to face implications regarding compliance to the payment Card Industry Data Security Standard.
New vulnerabilites are constantly discovered by hackers and use that backdoor to hack website if your site in not up to date with security patches. Do not compromise with your store
upgradtion and security patches updation if you really wants to do business and win trust of customers.
Here are some of way that can help you to determine that you are Magento store hacked.
1. New or unknown admin users in Magento Admin panel (System > Permissions > Users)
2. Host suspend for unknown malicious activities.
3. Spam keywords on product listings and other pages.
4. Customer complaint about strange credit card activities.
5. Disturbance in orders and sales.
6. Your domain get blocklisting warnings.
7. Redirection on hacked page.
8. Redirection on nude adult site.
9. Changes in files and folder.
10. Magento core files modified.
11. Database hacking.
Solution to recover hacked Magento store
There are many free tools available to scan magento store/website remotly. You can use below site URLs to scan your website and identify payloads.
Check Core File Integratity
You can use command on ssh terminal to check recent modified files. You must have to login on ssh terminal in order to use this commands.
To check from SSH terminal
find /public_html -type f -mtime -10 (List last 10 days modified files)
grep -RE ‘preg_replace\(|eval\(|base64_decode\(‘ –include=’*.php’ . | cut -d: -f 1 | sort -u | while read line ; do echo $line | cat – $line | less ; done
You can compare source code of core files with same magento version. You can download same magento version on sub folder and upload their.
Using diff command you can check modified file list.
create magento1937 folder on public_html and upload source code for the magento latest version 184.108.40.206 on magento1937 folder and run below command
diff -r magento1937 ./public_html
diff command will compare the clean magento files with your installtion.
To check manually login to web server
1. login to web server
2. if using SFTP/FTP then review last modified date column for all files on the server
3. Note list of modified files that have been modified recently.
Unwanted changes on files on last week or month may be suspicious and require investigation.
Audit User Logs
If there are unwanted account created on admin user then that was done by hackers of course. Please identified real users and delete unwanted users from the admin panel.
1. Login to magento admin panel.
2. System > Permissions > Users
3. Delete recenlty unfamilier users.
Database table cleanup
To clean up database maleware you have to login to database phpmyadmin and search for a suspicious content like spam keyworkds, other redirection, malicious php based function such as preg_replace, str_replace, base64_decode, base64_encode, gzinflate, eval etc. Hackers are attacking on most common tables such as core_config_data to modify header and footer Miscellaneous Scripts area only.
Secure the Magento Admin Panel
Use custom admin panel path for admin panel login. Generally, magento admin panel path like http://www.example.com/admin. You can easily change this path on app/etc/local.xml file.
You can also restrict magento admin panel on single IP address by writing some rules in your .htaccess file. Make sure you have static IP address on dynamic IP address you can not restrict.
Upgrade Magento Version and Apply Security Patches
Outdated magento version is one of the biggest target for that attackers to hack your site. Same is you have to apply security patches as well.
Keep up magento and extension up to date. Set unique username and password with custom admin panel login path and SSL certificate etc.