How do i check if site is infected by SUPEE-5344 and SUPEE-1533

magento.stackexchange https://magento.stackexchange.com//questions/65322

  •  12-12-2019
  •  | 
  •  

Question

i applied already the two patches SUPEE-5344 and SUPEE-1533, but how do i check, or how do i know my site and files are not already infected?

Thanks in advance.

Was it helpful?

Solution

I too recommend using Magento Shoplift Bug Tester v1.0 to check if your site is vulnerable. (As mentioned by others)

I would add to that a nifty trick to find recently modified files:

find . -type f \( -iname \*.php  -o -iname \*.js \) -mtime -14 -exec stat -c "%n %y" {} \;

Above command will find all PHP and JavaScript files that have been modified within the last two weeks.

(Source: How to find recently modified files)

Oftentimes, compromised sites will have critical files modified to capture credit card data and other sensitive information.

OTHER TIPS

You can check your website is VULNERABLE to the above bug at https://shoplift.byte.nl.

You can confirm your site has been successufully patched from the following site directly. http://magento.com/security-patch

Enter your store url & change admin path and then click on Test button.

And also you can check successfully patched list in your app/etc/ folder

For more information go for this post https://magento.stackexchange.com/a/64082/24348

There is no easy way to check if anything changed on your site. I learned from this, to put the whole magento into my git, not only the non-core files.

If you have everything in git, git status shows you all changes. If you don't use any version control yet, it is time to change this, and diff all your files agains originals downloaded freshly from magento.

There are three things you can quickly check:

  1. Check admin users list. See if there are new records. I've seen more than dozen compromised sites and they all have new users, most notably using magent.com and example.com e-mail addresses. Please note that once inside hackers can change user passwords, install extensions and so on. Eventually they have other ways to get into you system and because of that they may remove those highly suspicious entries to avoid detection.
  2. New installed extensions, most notably MagPleasure File System extension. This allows attackers to modify .php files and through it gain full system level access. As with users, it's likely that to avoid detection they remove this extension once system has been compromised.
  3. If you use versioning, check local code base status. If live system has uncommited modified files there's reason to be concerned.
Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top