A backdoor is a way around the normal authentication method. It works in a similar way a Trojan works. That is exactly what a Magento backdoor is.
When the attacker finds it hard to compromise the first step authentication, the attacker looks for weak spots in a Magento store, which usually are its backdoor. After accessing the store through a backdoor, the attacker tries to embed some codes on the website which can, later on, be used as a way to access entry to the website with little or no effort. They also plant a backdoor to have perpetual access to a website.
In other cases, Magento store developers may also intentionally leave backdoors behind to have easier access to the system. This helps in troubleshooting bugs or other issues quickly, at a later stage.
Whatever the case may be, backdoors are always a security risk. And it is always better to NOT have a backdoor in your system than having it.
Why are Magento backdoors a menace?
A Magento backdoor can compromise your whole store. Over the years, we have seen enough instances of a backdoor catastrophe. Which have resulted in the following and more:
- Unauthorized access to hackers
- Data theft and data breaches
- Website defacement
- Server hijacking
- Server-related attacks such as DoS and DDoS attacks
- Inject malware, shell
- Steal valuable data, and so on.
- Hardware infection
Why is it hard to detect a backdoor?
Backdoors are very hard to detect because they can disguise itself into something very useful which is very difficult to suspect. At least by an average store owner.
Here are some reasons why a backdoor is particularly hard to detect:
- An attacker can hide the backdoor anywhere on your website
- They are usually normal PHP code
- They reside in unconventional areas to further miss detection
Areas to look for a backdoor in your Magento store
If you have been suspecting the presence of a Magento backdoor in your e-commerce store, these are some of the places you should look at:
- Theme & Plugin files: If you have inactive themes lying around on your website, it is likely they may be your backdoor host. Since outdated and inactive themes and plugin files are most vulnerable, hackers creep through them to your website and keep these files as backdoors. Vulnerable themes and plugins are the number one vector that attracts hackers.
- Core files: After themes and plugins file the most sought after area is core files. More sophisticated hackers create and inject backdoors in the most crucial files on your website, i.e. the core files to defy detection.
- Configuration files: If we were to name the most probable area to have backdoors amongst the core files, it is this file – the configuration file. Hence, don’t forget to scan this file while hunting for backdoors.
- Database files: The database of an e-commerce store holds valuable user information hackers so desperately want. You may want to check here too.
In addition to the above, you can scan your website for common Magento backdoors. The list of some common backdoors is easily available online. This common PHP web shell and backdoor list as given by GitHub will serve your purpose if you’re looking for common Magento backdoors.
How to remove a Magento backdoor?
Here’s a step-by-step process to detect and remove Magento backdoors:
1. Comparing checksum
In this technique, the website after the hack is compared with a good backup or a fresh installation of the core files. It detects the infected files on your hacked website. The checksum will help detect the malware and remove it from the website.
2. Scanning for unknown files
There are certain cases where a backdoor is so well placed and hidden, that it is almost impossible to detect it. So, manually check all the functions and files of your website, to see if anything is missing or something extra is embedded.
3. Block the bad codes
Block some of the infected websites in advance. It is better to be safe than sorry.
4. Core Files Integrity
Verify the integrity of the core files of your website. See if anything is modified or altered. If yes, then install a new copy of Magento.
After you have found the backdoor, the next wise step is to remove it.
In case you couldn’t find the malware, get professionals to find and remove it for you. Astra Security’s immediate malware & backdoor removal service offers a complete and quick recovery from malware & backdoor infections.
How to prepare against a Magento backdoor hack?
You have successfully removed a backdoor from your website. But what to do to stop it from coming back? Here are certain tips and tricks for you:
- Reset all the passwords.
- Re-check your admin accounts.
- Use a secure firewall.
- Always keep a backup of your website.
- Regularly update your website.
- Use the latest versions of PHP.
- Use secure plugins.
- Limit the login attempts to your website.
Magento backdoor is a menace to your Magento store, but it can be found and eradicated. Most importantly there is no difference between good or bad backdoors, all backdoors pose a security threat and should be handled very carefully. If you’re struggling to find backdoors in your Magento store, follow the steps given in this guide to successfully find and remove them. Overall, having a security system and malware scanner, which scans your Magento store for malware & backdoors on regular intervals can be helpful.