Magento Security – Fix Hacked Site Displaying User Emails and Error Message

-My client suspects his site was hacked,I'm not sure, but when I open index.php I get a list of emails and usernames, and what appears to be encrypted passwords (please correct me if I'm wrong).

I have drawn with red over the picture to protect privacy (see the top, before the error message)

Q: Is this normal in Magento?

-The /admin folder is giving the same error. I cant log into the admin, I got error 404 until I restored the htaccess file, now I have a error message same as the index.php of the homepage.

– I have found a file named config.php that when opened shows a form, to send something and inside I can read this in the first lines, it looks really suspicious.

<?php $bm_____s=base64_decode("ZXZhbChceDYyXHg2MVx4NzN ....

Q: Can anyone in the community confirm if this is a hacked site?

-The error log says that this is the problem:

"Mage registry key “controller” already exists"

Details:

a:5:{i:0;s:45:
"Mage registry key "controller" already exists"
;i:1;s:631:"
#0 /home/filomena/public_html/app/Mage.php(223): Mage::throwException('Mage registry k...')
#1 /home/filomena/public_html/app/code/core/Mage/Core/Model/App.php(747): Mage::register('controller', Object(Mage_Core_Controller_Varien_Front))
#2 /home/filomena/public_html/app/code/core/Mage/Core/Model/App.php(1094): Mage_Core_Model_App->_initFrontController()
#3 /home/filomena/public_html/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Model_App->getFrontController()
#4 /home/filomena/public_html/app/Mage.php(684): Mage_Core_Model_App->run(Array)
#5 /home/filomena/public_html/index.php(87): Mage::run('', 'store')
#6 {main}"
;s:3:"url";s:1:"/";s:11:"script_name";s:10:"/index.php";s:4:"skin";s:7:"default";}

Basically my main concern is if the site was hacked, how to backup and recover, is there any recommended guide / procedure to follow? thank you guys!

SOLUTION:
The site was effectively hacked, without the most recent security patches.

I have replaced all passwords, deleted suspicious users from the DB using phpmyadmin, scanned files, changed FTP passwords, done a fresh install of Magento via cpanel and then connected this new filesystem to the old DB after the cleanup. Installed all the latest patches and voila. it's running now.

Best Answer

Yes you're right it looks very suspicious.

My suggestions:

run your website on https://www.magereport.com/
create a maintenance.flag file at the root folder of your website to disable it
apply the missing patches
access the backend and delete every admin users that look suspicious
I also suggest you download a fresh install of your Magento version and use version control (GIT or SVN) to compare your files with the new original files to find out corrupted files

Best Answer

Related Solutions

Magento – getting Error in magento

Magento – Disable Ajax Add to Cart on product page

Related Topic