1

i applied already the two patches SUPEE-5344 and SUPEE-1533, but how do i check, or how do i know my site and files are not already infected?

Thanks in advance.

Meez
  • 483
  • 1
  • 8
  • 22

5 Answers5

1

You can check your website is VULNERABLE to the above bug at https://shoplift.byte.nl.

Pradeep Sanku
  • 9,236
  • 2
  • 41
  • 73
1

There are three things you can quickly check:

  1. Check admin users list. See if there are new records. I've seen more than dozen compromised sites and they all have new users, most notably using magent.com and example.com e-mail addresses. Please note that once inside hackers can change user passwords, install extensions and so on. Eventually they have other ways to get into you system and because of that they may remove those highly suspicious entries to avoid detection.
  2. New installed extensions, most notably MagPleasure File System extension. This allows attackers to modify .php files and through it gain full system level access. As with users, it's likely that to avoid detection they remove this extension once system has been compromised.
  3. If you use versioning, check local code base status. If live system has uncommited modified files there's reason to be concerned.
Pronto
  • 3,405
  • 1
  • 15
  • 33
  • I'm going to echo @pronto here. We've only come across 5 or so but these are consistently attack signatures across all the ones we've seen. We're gathering up all of our analysis from the remediation work we've done over the last few weeks and posting the research online as well as a set of tools on github that can help automate checking our list of confirmed signatures @ https://github.com/comitdevelopers/magento-security-toolkit - should be ready tomorrow. – Bryan 'BJ' Hoffpauir Jr. Jun 07 '15 at 11:22
1

You can confirm your site has been successufully patched from the following site directly. http://magento.com/security-patch

Enter your store url & change admin path and then click on Test button.

And also you can check successfully patched list in your app/etc/ folder

For more information go for this post https://magento.stackexchange.com/a/64082/24348

Community
  • 1
Sintu Roy
  • 433
  • 3
  • 17
1

There is no easy way to check if anything changed on your site. I learned from this, to put the whole magento into my git, not only the non-core files.

If you have everything in git, git status shows you all changes. If you don't use any version control yet, it is time to change this, and diff all your files agains originals downloaded freshly from magento.

Fabian Blechschmidt
  • 35,388
  • 8
  • 75
  • 182
0

I too recommend using Magento Shoplift Bug Tester v1.0 to check if your site is vulnerable. (As mentioned by others)

I would add to that a nifty trick to find recently modified files:

find . -type f \( -iname \*.php  -o -iname \*.js \) -mtime -14 -exec stat -c "%n %y" {} \;

Above command will find all PHP and JavaScript files that have been modified within the last two weeks.

(Source: How to find recently modified files)

Oftentimes, compromised sites will have critical files modified to capture credit card data and other sensitive information.

siment
  • 176
  • 3