Magento – Ransomware files and credit card scrapers

Magento has been inundated with patches and security fixes. I recently encountered several odd php files on a client’s site that flagged up on MageReport as ransomware: a Magento virus that encrypts all Magento core files and demands a ransom to give you access to your site.

Magento – Ransomware files

error.php, skins.php, test1.php, test.php

These files allow a hacker to exploit your site remotely, in some cases allowing a hacker to retrieve credit card information stored within your store. If you’re a small to medium sized business, I would strongly advise that all payments are processed by a third party. Payment gateway such as PayPal, SagePay and some of the high street banks, are better placed to oversea these transactions.

These files were found in the /skins folder and are not part of the site’s original set up. Worryingly they must have been placed by a virus or malicious script, although the site appeared in good health. They were placed at three different times, but before the November 9th ransomware virus. It is possible that they used Magento’s Connect Manager via the default /downloader folder, which has since been renamed.

The site had been patched within 24hrs of any security notification and had very few extensions or plugins. So it shows that you have to be very vigilant to keep your Magento site safe.

skins.php removal

If you find any of the above files, particularly skins.php which I have also seen within a new client’s active theme folder, remove it from your live server immediately. You may also have further files on your server, so try to do a full scan.

Here’s a bit more information about how these files may actually be used and what damage they are doing;

https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html