Owning an eCommerce site is not easy. Worse, owning a hacked eCommerce site is traumatic. Today, when the internet is all about data and big-data handling, prevention of data breaches should be your top concern. Hackers use a number of approaches to get into your site and often times they get a success in their hideous intentions.
When it occurs, website owners start panicking and commit some mistakes that show their effects after a long time.
Things we do wrong
When it occurs, website owners start panicking and commit some mistakes that show their effects after a long time.
Things we do wrong
I have seen various website owners reacting wrongly when their website gets hacked. They rush to recover the site ASAP and in this rush, they simply start cleaning the site, restoring the backups etc. They forget a very basic step- evidence collection.
It is a fact that websites get hacked but recovering the website is not the ultimate solution. If your site is hacked once, it is more likely to get hacked again if you do not dig deeper to know and fix the root cause. This is where evidence collection and Pre-recovery steps come are helpful.
In this article, I am going to explain how you should maintain your cool and respond correctly when your Magento store gets hacked by any chance. This is not a recovery guide but a guide to collect evidence and data that will be helpful in discovering the root cause and ensuring you do not get hacked again.
1. Know the common signs of a hacked Magento store
Before you adopt any recovery measure or respond to the attack, you must know if your store has been really hacked? Here are some common indicators that you should always check to ensure if your site is safe or has been hacked already:
- Blacklist warnings: Notice the blacklist warnings from Google, Bing, and the security software like McAffe etc.Customer complaints: Notice if there is any customer complain about weird credit or debit card activity.
- Strange checkout behavior Notice if there is any drop in the sales or weird checkout page activity.
- Spam keywords: Notice if your product listings and SERPs listings have been stuffed with spam keywords. Host warnings or suspension: Has your web host suspended your store for malicious activity?
- File modifications: Notice if your Magento files have been modified without your knowledge. You can check it from server logs.
- Unknown back-office users Notice if back-office users accounts have been added without your knowledge.
2. Do not temper the evidence- PCI compliance
For your Magento eCommerce store or any kind of eCommerce site, the most vulnerable data that hackers lust about is your customers' credit/debit card information. If you process the payments within your Magento store, you must have the credibility to respond to the possible data breach. If you think credit card data is being leaked or stolen, the first steps should be to contact your banking partner and ask for virtual credit cards.
Virtual credit cards can be used to test purchases on your store by yourself and verify if it is being stolen. Generally, the stolen credit cards are used by the hackers within 12 hours. So if your card has been stolen, you will notice suspicious card activity within 12 hours.
This is not an official or best practice, but it can be used as the first step from your side before going out for a help from a PCI Forensic Investigator.
3. Backup everything as it is-
As soon as you suspect that your site has been hacked and data is being leaked, backup everything from the hacked site ASAP. This needs to be done very quickly as the hacker will try to erase all the traces if he finds you are on to him.
In addition to the site files and Magento DB, ensure that you have made a backup of all the relevant site logs. It would be a plus point if you are a server admin, as you will need to backup all the server logs too.
Moreover, make sure you have a log and backup of any of the hacked indicators listed in the first point. I mean the back of all the Blacklist warnings, weird checkout activities, spam keywords, host warnings, file modifications, and unknown back-office accounts.
4. Scan your store
Now that you have backed up everything, the next step would be to scan your site. There are various free online site scanning tools that you can use to scan your Magento store remotely. These scanners can easily detect the security issues like intermediary domains, credit card swipers, malicious payloads, and much more.
You can follow these steps to scan your store:
A. Visit any of the site scanning tools websites.
B. Enter your Magento store URL.
C. Scan it.
D. Notice the warning messages appearing.
E. Notice if there are any payloads and locations.
F. Notice if there is any blacklist warning.
Moreover, it is a good idea to scan all the sites on the same server. There are chances that other sites on the server might have got infected. And if they are not cleaned, cross-site contamination may re-infect you again.
It is always recommended for crucial sites like eCommerce stores to have a dedicated and isolated server hosting. The dedicated SFTP, FTP, or SSH accounts remain safer against any type of cross-site infection.
It is always recommended for crucial sites like eCommerce stores to have a dedicated and isolated server hosting. The dedicated SFTP, FTP, or SSH accounts remain safer against any type of cross-site infection.
5. Check your back-office User logs
Most of the hackers first attack the admin panel access of the site which is a treasure for them. It is not easy to hack into the main admin account if it complies with the best practices of using the account credentials.
Alternatively, hackers find the compromised loopholes and create malicious back-office user accounts. To verify if your store has any malicious user account, check all the user accounts, especially the admin accounts.
A. Log into your super admin account on Magento back-office.
B. Go to System>Permissions>Users or All Users.
C. Check the list of users added
D. Notice the recent User account IDs, especially the ones with weird ID numbers.
E. Delete any unknown or suspicious account that might have been created by the hackers.
You can also parse your server logs to search for suspicious admin login requests. For example, if you operate from the US, a user account login from UK timezone is a suspicious activity.
For most of the time, the manual account check is enough to detect the malicious user accounts. However, if you do not have a clear knowledge of how many user accounts are operating on your store, you can use the server logs method as explained above.
6. Check your Magento files integrity
Malware injections generally modify the site files without leaving any trace to make certain manipulations. So, any recent file modification on your store might have been done by the hackers. You must check the file integrity by comparing all your current infected Magento files with a fresh Magento file.
Download the same Magento version that you are using on your local system. You can get all the previous and current Magento versions on GitHub repository.
If you are on Linux server it will be very easy to compare the files using the SSH terminal.
For example, here I am going to compare my Magento version 2.1.2 site stored on public_html on the server with GitHub fresh Magento version 2.1.2. located on the location https://github.com/magento/magento2/archive/2.1.2.tar.gz
I will use the following command line on the SSH terminal:
A. $ mkdir magento-2.1.2
B. $ cd magento-2.1.2
C. $ wget https://github.com/magento/magento2/archive/2.1.2.tar.gz
D. $ tar -zxvf 2.1.2.tar.gz
E. $ diff -r 2.1.2 ./public_html
Please note: This command will compare the clean Magento files with your site files. You must have also installed various Magento extensions on your site. So, this comparison will also report those extension files as they will not be found in the original Magento files that you are comparing with.
What you need to do next is to get the fresh extension files of the same version that you are using from your Extension Developers and use the same method as above to compare with your installed extension files.
In this way, you can ensure that not only your Magento files are safe but also the extensions are not infected by the Malware injection.
Recommendation
We recommend using the Magento extensions from reputed Magento developers only. Only the Magento certified developers can provide you the best extensions with no security lags and impressive after sales support. We also recommend to always update your Magento store and Magento extensions with latest versions. It will ensure that you have the latest security patches and features too.
To Conclude
These are the things that you can do before going for Magento website recovery. Keeping the cool and not rushing with the recovery steps would make sure that you reach to the root cause of the hacking and would also ensure that mistakes are not repeated again. In this way, you will have the least chance of getting hacked again, plus all the loopholes can be caught easily.
Author Bio: Ethan Roy, a technical content writer by Profession. With years of experience on various eCommerce platforms (Magento, PrestaShop, OpenCart, Shopify), he has a lot to share with the readers. Currently working as Technical Content Writer at Knowband.