Skip to main content
ErrorsMagentoPatches

Magento – Ransomware files and credit card scrapers

By November 14, 2015June 2nd, 2016One Comment

Magento has been inundated with patches and security fixes. I recently encountered several odd php files on a client’s site that flagged up on MageReport as ransomware: a Magento virus that encrypts all Magento core files and demands a ransom to give you access to your site.

ransomware files

Magento – Ransomware files

error.php, skins.php, test1.php, test.php

These files allow a hacker to exploit your site remotely, in some cases allowing a hacker to retrieve credit card information stored within your store. If you’re a small to medium sized business, I would strongly advise that all payments are processed by a third party. Payment gateway such as PayPal, SagePay and some of the high street banks, are better placed to oversea these transactions.

These files were found in the /skins folder and are not part of the site’s original set up. Worryingly they must have been placed by a virus or malicious script, although the site appeared in good health. They were placed at three different times, but before the November 9th ransomware virus. It is possible that they used Magento’s Connect Manager via the default /downloader folder, which has since been renamed.

The site had been patched within 24hrs of any security notification and had very few extensions or plugins. So it shows that you have to be very vigilant to keep your Magento site safe.

skins.php removal

If you find any of the above files, particularly skins.php which I have also seen within a new client’s active theme folder, remove it from your live server immediately. You may also have further files on your server, so try to do a full scan.

Here’s a bit more information about how these files may actually be used and what damage they are doing;

https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html

 

 

Andrew Taylor

A senior UI designer with over 25 years of web design and web development experience working for some of the largest companies in the UK. An expert in all things Magento and WordPress.

One Comment

  • Sergio Checa says:

    My website had been reported to be with a Ransomware by magereport.com and I got desperate when I read websites had been down and people had been blackmailed and I thought it would be so difficult to resolve that since I’m not an expert, but searching google I found your site and help and was able to fix this absurdly easily. Now I will patch my website more securely and hope this never happens again. Congratulations on your work, Andrew. It made a difference in my website. Thank you

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.