Last weekend there was a hacker attack affecting about 2000 Magento 1 stores. In this newsletter we explain what we know about it and what you can do to protect your store.We also take this opportunity to thank our partner sansec.io for their support in researching these attacks.
What happened?
We received the message that last weekend about 2000 Magento 1 stores were successfully hacked. The number of attacks is likely to be much higher.
What does it look like?
As soon as the attack became known, we immediately started researching the effects and the cause.
According to our research, the attack uses the “Magento Connect” section of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware.
Read more about malware at Wikipedia: https://en.wikipedia.org/wiki/Malware
What is “Magento Connect”?
The marketplace of Magento was formerly known as “Magento Connect”. In the store itself there is a page where you could install extensions in the store. You can find this area if you add /downloader to your store URL, e.g. https://my-mage-one-shop.example.org/downloader/
How do I know that my store has been attacked?
First you have the possibility to check if there has been an attack by searching the server log files for access to the download directory. These probably look like this:
/downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name=
If you have found such a line, please send us this excerpt from your log file.
How likely am I affected?
If you have blocked access to the downloader directory in your store or this directory does not exist in your store at all, you are safe.
sansec.io also published the list of TLDs, which are currently affected and hacked:
| 872 | .com |
| 115 | .uk |
| 91 | .nl |
| 77 | .de |
| 69 | .br |
| 61 | .it |
| 42 | .au |
| 38 | .net |
| 34 | .ro |
| 34 | .pl |
How do I know that my store has been hacked?
When you are on the checkout page, open the source code of your page and search for the following term: mcdnn.net
To our knowledge, the injected JavaScript code looks something like this:
If you have found this or a similar code, please let us know as well.
What should I do if I find the Malware code?
Contact your agency or developer and ask them to find and remove this code immediately. You should also search for files that are not part of the Magento installation. In several of the hacked stores a mysql.php file was found in the root directory.
Be sure to inform customers who have placed orders since the weekend that their data is at risk.
What does this code do?
You can assume that malware code that was introduced into your store’s checkout is trying to intercept credit card data or other access data.
What can I do to protect my store?
You have two possibilities to protect your store.
1. protect the directory via the .htacess file
Open the .htaccess file that is located in the root folder of your Magento installation (where cron.sh and cron.php are located) and add the following line at the beginning
RedirectMatch 404 ^/downloader/.*$
2. delete the downloader directory
Remove the complete directory "downloader" , which is located in your root directory. You can delete it without hesitation. Since the Marketplace for Magento 1 has been switched off, the downloader can no longer be used for this purpose. Alternatively you can rename the directory, but a complete removal is much safer.
Will there be a patch?
We are still investigating the attacks and, if possible, we will release a patch within the next 30 days. You will be informed about this patch by e-mail. Nevertheless, we recommend that you take the measures described above before.