Magento has been inundated with patches and security fixes. I recently encountered several odd php files on a client’s site that flagged up on MageReport as ransomware: a Magento virus that encrypts all Magento core files and demands a ransom to give you access to your site.
Magento – Ransomware files
error.php, skins.php, test1.php, test.php
These files allow a hacker to exploit your site remotely, in some cases allowing a hacker to retrieve credit card information stored within your store. If you’re a small to medium sized business, I would strongly advise that all payments are processed by a third party. Payment gateway such as PayPal, SagePay and some of the high street banks, are better placed to oversea these transactions.
These files were found in the /skins folder and are not part of the site’s original set up. Worryingly they must have been placed by a virus or malicious script, although the site appeared in good health. They were placed at three different times, but before the November 9th ransomware virus. It is possible that they used Magento’s Connect Manager via the default /downloader folder, which has since been renamed.
The site had been patched within 24hrs of any security notification and had very few extensions or plugins. So it shows that you have to be very vigilant to keep your Magento site safe.
skins.php removal
If you find any of the above files, particularly skins.php which I have also seen within a new client’s active theme folder, remove it from your live server immediately. You may also have further files on your server, so try to do a full scan.
Here’s a bit more information about how these files may actually be used and what damage they are doing;
https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html
My website had been reported to be with a Ransomware by magereport.com and I got desperate when I read websites had been down and people had been blackmailed and I thought it would be so difficult to resolve that since I’m not an expert, but searching google I found your site and help and was able to fix this absurdly easily. Now I will patch my website more securely and hope this never happens again. Congratulations on your work, Andrew. It made a difference in my website. Thank you