Compromised Clients

Here is the steps we need to achieve to clean the website of malware

Preparation for cleaning the site

  • We get information from client, since then they noticed that the site was hacked.
  • We try to find the entrypoint where everything started. Were they brute forced through RSS, downloader, magmi
  • We ask for current credentials to their hosting environment, SSH details, domain registrar credentials
  • To reduce the risk of the site being compromised again, we either start from fresh Magento copy and install the plugins they have used. Or we clean the current source code they have.
  • We use Malware scanning tool for source code. And look through any suspicious files
  • We look through the database also, and see if we find it compromised.

Things we gonna need to do to clean the website

  • If it's an old client of our we check if we do have malware free backup of their site in our server. If we don't have one, we ask that from client, or from hosting company.
  • We patch up the website if it's not patched up yet.
  • We restrict or completely delete use of downloader/rss/magmi
  • We change the passwords of Magento
  • We move the source code to new server (as the old server can be compromised aswell)

Finalising the cleaning

  • We ask client to order new server (preferably dx3 as we are our referal)
  • We setup git to version control the source
  • We deploy the changes and make sure that everything is working as it was, except malware free.