Magento server hacked or compromised


Please follow this step by step guide if your Magento server is hacked or compromised.

Step 1 – Check for infected services or files on the server by installing antimalware solution like chkrootkit scanner

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

tar xvfz chkrootkit.tar.gz

cd chkrootkit-*/

make sense

Once installed, you can move the chkrootkit directory to /usr/local/chkrootkit and create a sym link

cd ..

mv chkrootkit-/ /usr/local/chkrootkit

ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Once all the above steps are done, then you should be able to run chkrootkit scan by running the following command

chkrootkit

or you can output the results

chkrootkit > output.txt

You can also schedule this as a cron job to email you every day

0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" myemail@mydomain.com)

Step 2 – Change all your passwords (Magento Admin Panel, Control Panel, Server, FTP, SSH etc.). You should be changing them at least once in 3 months as per the Payment Card Industry Data Security Standard (PCI DSS) requirement 8.5.9.

Step 3 – Change all the folder and files permission of your Magento files. 

Go to root folder of your Magento site and run the following commands -:

find -type f -exec chmod 664 '{}' \;

find -type d -exec chmod 755 '{}' \;

cd media 

find -type d -exec chmod 775 '{}' \;

cd ../var

find -type d -exec chmod 755 '{}' \;

Step 4 – Check the recent files and folders being modified

Go to root folder of your Magento site and run the following commands -:

find . -type f -name '*.php' -mtime -7

The above command will find all the files which have been added or modified in last 7 days. Ask your developers to check if those have been modified by your development team or not.

Step 5 – search all PHP Files for suspicious code

find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color

find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color

Step 6 – Search your writable directories for executable code

find media -type f -name '*.php'

find var -type f -name '*.php'

Step 7 – Restrict your admin access to certain IP addresses

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.206
RewriteCond %{REMOTE_ADDR} !^10\.1\.2\.209
RewriteRule .* - [F,L]

Step 8 – Check your site on magereport.com and action accordingly

Step 9 – Install modules like Admin Activity Log to record each and every activity of Admin processes

Step 10 – Verify all admin users. Make sure every admin user has their own account and their role should be narrow down to minimal as required by each role

Step 11 – Ensure all custom code is reviewed before using on the site.

Step 12 – Apply available security patches for your Magento version. You can find the security patches on this link:- https://helpx.adobe.com/in/security/products/magento/apsb22-12.html

Step 13 – Make sure all core Applications and Extensions are up to date

N.B. You can follow this guide even if your server hasn’t been compromised or hacked. This will prevent you from hackers who are looking to hack Ecommerce sites on a regular basis

That’s it, Hope this article helped you in some way. Please leave us your comment and let us know what do you think? Thanks.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.