eComscan reported one or more issues with your store. What you do next depends on whether it found a vulnerability or malware. In either case, your development agency or internal dev team should handle the remediation.
Vulnerability
Check the report for specific instructions. In general, upgrade or remove the vulnerable component. Third-party tools like database managers should be removed from production altogether. For core platform vulnerabilities, a security patch is almost always available from your vendor. For Magento, install all relevant patches as published here.
Watch out for:
- Duplicate code. You may have patched your main codebase, but a forgotten copy under
/devor/testcan still be vulnerable. - Cached code. Magento's compilation feature caches code under
srcorgenerated. After applying patches, clear the compilation cache or the vulnerability may remain active.
Malware
Malware means an attacker had partial or full control over your store. Treat this as an active incident and respond accordingly. This incident response template for Magento provides a good framework.
At a minimum, follow these steps:
- Preserve evidence. Create a full backup and record file timestamps using
stat <filename>to find both change and modification times. Also back up your web server logs — some providers purge them after a few days. Logs are typically found under$HOME/logs,/var/log/nginx,/var/log/httpd, or/var/log/apache. - Identify all malicious code and any remaining means of unauthorized access.
- Identify the root cause (see root cause analysis for Magento).
- Lock everything down at the same time:
- Change all staff passwords (see this script for Magento)
- Invalidate all active admin sessions
- Change the database password
- Rotate SSH keys and hosting account credentials
- Rotate secret application tokens such as Magento's crypt key — these grant an attacker indefinite access
- Restrict admin access to a limited set of IPs (office, VPN).
- Restore from a known clean backup if possible.
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec Shield
