What is Cryptojacking?
Cryptojacking is when your computer or mobile device is used to secretly mine crypto currencies when you browse a compromised/infected website. In november 2017, Willem de Groot found that almost 2500 Magento stores are infected with the malware.
This may lead to increased data usage on mobile devices, an increase in electricity usage, potential hardware failure because of constant use over long periods and a slower experience for users due to all their resources being hogged by the crypto miner.
How do I know if my Magento shop has been hacked?
MageReport will scan for specific signatures and can recognise if your site has been hacked. It will only scan the index page of your website. If you want to scan all the directories and files, please read below.
Scan your files for known web shells and malware manually
Byte has added the detection signatures to the malware scanner which you can run on the Hypernode. Read more about this tool on support.hypernode.com.
Every night Byte runs the Malware scanner on every Hypernode. This scan only searches in files which have been edited in the past 24 hours. If the scanner finds a suspicious file, our support department will get a message and will contact you if needed.
I have been hacked, what to do?
This is bad news, please take the following actions immediately:
Install all Magento patches
Scan your shop with Magereport and make sure your site has all patches installed.
Remove inactive admin users
In the Magento backend you can find an overview of all admin users. These users have access to your Magento shop. Remove or disable all non-active accounts and set strong passwords for active admin users. If you want to check if you have weak admin passwords, try our tool on the Hypernode:
Reset and/or change your Magento password
Please have a look on support.hypernode.com for instructions.
Remove inactive FTP users
Read this article on support.hypernode.com on how to add/remove FTP users
Also, please do not forget to not only remove an inactive FTP user, but also remove it’s IP-address from the whitelist on our Service Panel.