Magento server hacked or compromised


Please follow this step by step guide if your Magento server is hacked or compromised.

Step 1 – Check for infected services or files on the server by installing antimalware solution like chkrootkit scanner

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvfz chkrootkit.tar.gz cd chkrootkit-*/ make sense 

Once installed, you can move the chkrootkit directory to /usr/local/chkrootkit and create a sym link

cd .. mv chkrootkit-/ /usr/local/chkrootkit ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit 

Once all the above steps are done, then you should be able to run chkrootkit scan by running the following command

chkrootkit

or you can output the results

chkrootkit > output.txt

You can also schedule this as a cron job to email you every day

0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" myemail@mydomain.com)

Step 2 – Change all your passwords (Magento Admin Panel, Control Panel, Server, FTP, SSH etc.). You should be changing them at least once in 3 months

Step 3 – Change all the folder and files permission of your Magento files

Go to root folder of your Magento site and run the following commands -:

find -type f -exec chmod 664 '{}' ; find -type d -exec chmod 755 '{}' ; cd media find -type d -exec chmod 775 '{}' ; cd ../var find -type d -exec chmod 755 '{}' ;

Step 4 – Check the recent files and folders being modified

Go to root folder of your Magento site and run the following commands -:

find . -type f -name '*.php' -mtime -7

The above command will find all the files which have been added or modified in last 7 days. Ask your developers to check if those have been modified by your development team or not.

Step 5 – search all PHP Files for suspicious code

find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color

Step 6 – Search your writable directories for executable code

find media -type f -name '*.php' find var -type f -name '*.php'

Step 7 – Restrict your admin access to certain IP addresses

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10.1.1.206
RewriteCond %{REMOTE_ADDR} !^10.1.2.209
RewriteRule .* - [F,L]

Step 8 – Check your site on magereport.com and action accordingly

Step 9 – Install modules like Admin Activity Log to record each and every activity of Admin processes

Step 10 – Make sure every admin user has their own account and their role should be narrow down to minimal as required by each role

N.B. You can follow this guide even if your server hasn’t been compromised or hacked. This will prevent you from hackers who are looking to hack Ecommerce sites on a regular basis

That’s it, Hope this article helped you in some way. Please leave us your comment and let us know what do you think? Thanks.