Magento – Upgrading compromised Magento from 1.7 to 1.9

magento-1.7magento-1.9patchesSecurityupgrade

I've been doing some research but there appears to be multiple solutions, and I want to get it right. I need to upgrade my Magento from 1.7.0.2 to the latest (1.9) being that our server was compromised and outgoing mail has been spammed.

I was told by out hosting provider to make sure the latest version of Magento is installed to help stop this.

My question though, is what's the best way to get this upgraded? I'm trying to avoid storing anything on my local machine since I don't want that to get harmed with the malicious files.

I was thinking of creating a folder titled 'OLD' on the server and moving all my magento files there and then install a fresh install of Magento 1.9. Once done, I can move over only the necessary files (themes etc) and then delete the 'OLD' folder.

Is this the best way to go about this? Do I need to do anything with my Database, other than amend the local.xml information?

Best Answer

First, the obvious: updating/patching Magento will only prevent future attacks but does not make an already compromised installation secure.

Copying the files to your local machine is not dangerous as long as you just do it to analyze the files and don't set up a local web server. Back up the files on the server itself is an option, but since the server is still compromised, be aware that the files might still get messed with. Also, it is likely that there are malicious scripts hidden in your "necessary files", for example in your theme.

What should you do with the hacked installation?

  1. Take it offline. That is, not just put the store into "maintenance mode", but disable the virtual host or block all access.
  2. Find and delete the malicious files. A common pattern is that PHP files are placed on the server that execute arbitrary code if accessed by a certain IP range and get the code passed as URL parameter. It might also be a modified existing file. Also, those tend to recreate themselves (for example, modified core file A creates backdoor file B everytime it is loaded). Searching for base64 and eval in all PHP files on the server is a good start. Don't forget media and var directories, those are popular to hide backdoors because they are usually less monitored. There are also tools that might help you. But in doubt, find a security expert to review the code.
  3. Find malicious extensions: A possible attack is to gain access to the Magento admin panel and install a "file manager" extension. Check if any extensions have been installed recently that you don't know. Also check the admin_user database table for additional admin accounts and remove them.
  4. Change all passwords (Magento admin, database, ...).
  5. Install all security patches for your Magento version (a fully patched Magento 1.7 is as secure as Magento 1.9, so I'd save the hassle of updating for later)
  6. Update your extensions and theme, as they are also a potential source of exploits
  7. If other applications are running on the same environment (for example Wordpress), check and update them as well
  8. Go online again. Or even better: back up your database and the files that you need, wipe the server and set it up from scratch.
Related Topic