1

Home page of my Magento site is hacked. A hacker put his javascript and html code in design/head/includes of table core_config_data. Somehow he updated value of design/head/includes from NULL to his script that's why home page of the site is showing what he wants to show.

I have removed this value and my site starts appearing again.

There is no data loss in database, neither he has updated any code file. Only this value has been updated in database.

Admin and database passwords are quite strong. I am not sure how he updated this.

Another thing is when I give 755 permission to the folder var, the hacked page starts visible again and when I give 777 permission to var, the site starts appearing normally. I am not sure, from where the hacked page is visible. I have cleared cache from admin and removed inside content of cache too but still changing permission of var makes that hacked page available instead of home page.

I am not sure how this is happening.

Please help.

Derek
  • 79
  • 1
  • 7
  • your actual question is not clear - what exactly do you want help with? – schroeder May 11 '17 at 14:39
  • Giving 755 to directory var and that hack page appears again instead of index page, I want to remove it. It is fine if site stops working but it should not show that hacked page and second I want to know the possibilities from where he updated the value in table core_config_data. – Derek May 11 '17 at 15:02
  • The first question is more about magento technical functionality, so you may have more luck at magento.stackexchange.com. Your second question is very hard to answer without access to logs. Possibilities include sql injection, credential stuffing/default password, compromise of the DB server, compromise of the webserver (either via magento or via some other application running on the server), DB server misconfiguration, the list goes on and on. Your safest bet would be to rebuild the servers (both web and DB) from scratch, and move on. – Dan Landberg May 11 '17 at 15:37
  • Also, I did find this CVE which may be related to your issue. http://defensecode.com/news_article.php?id=9 – Dan Landberg May 11 '17 at 15:43

0 Answers0