credit card hack

Credit Card numbers leak in Magento

There’s no unbreakable protection. You may have the hosting provider with a great security: firewalls, antiviruses, malware protection etc., but.. Are you sure that your home/office computer is protected enough, and your neighbor is absolutely trusted person? It worth nothing to grab saved passwords, cookies, RSA keys from some computer and get an ability to access secured remote area. Recently, we’ve noticed that some sites were affected by the exploit which sends customers credit card numbers to a remote site. It’s useful to check your own site because you might not even guess about the ‘gremlin’ in your Magento installation.

Most often the exploit affects Saved Credit Card payment method, but it might be present in any other payment method as well. In this article we’ll explain how to ensure that Saved Credit Card payment method is not hacked as an example, and you can follow the same approach in order to check the relevant payment method used in your store. The malicious code is normally being placed in the payment method’s model: [magento_root]/app/code/core/Mage/Payment/Model/Method/Cc.php

Continue reading

Simple script to find base64_decode in your files

If you have a large site with a lot of files it can be very difficult, or at least very time consuming to locate any obfuscated php code on your site. This simple script will work on most, not all sites. The script is a PHP script so your server/site must support PHP for it to run. To use the script open a text editor then copy and paste the script below. There are two versions of the script in the grey box below. The first listing is the php code only without ant comments. The second copy contains comment lines that explain the what the various lines of code do. You should only copy one of the versions. Save the file the name does not matter, but the file must have a .php extension, I use find-string.php . Once you have saved the file upload the file in the root directory of your site. Next open the file in your browser http://yoursite.com/find-string.php or whatever you have named the file. If you have a large site with lots of files it can take awhile to run. If the script worked you should see as a minimum the find-string.php returned, the line

./your-file-name.php -> contains base64_decode

Continue reading

Temporarily disable varnish cache

How can I disable Varnish cache?

Varnish is a HTTP/web page accelerator. We use Varnish both as a load balancer and to speed up page loads by having varnish answer requests, instead of storage servers (which answer slower). Basically Varnish makes a web page faster.

Sometimes it is useful to temporarily disable varnish cache, for example when editing your website. You can do this by adding a .htaccess file with the following code to the directory that you are editing. Continue reading

SSH Keys Auth

How To Set Up SSH Keys Authentication On Linux

What is SSH Keys

SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. Anyone eavesdropping on your connection will not be able to intercept and crack your password because it is never actually transmitted. Additionally, using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks by drastically reducing the chances of the attacker correctly guessing the proper credentials.

Continue reading

docker-compose

Docker: docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object

Today, I started to try some stuff with Docker, after install docker-engine complete smoothly. Next to install docker-compose, I recently got very annoying error on my Ubuntu 16.04 machine. Follow the instruction at https://docs.docker.com/compose/install/ , right on the step 7, after the install complete, I try to test it by command

$ docker-compose --version

Continue reading

magento upgrade

Magento upgrade with SQL error after migrate

Magento upgrade with SQL error is a terrible thing

Today, when I do Magento upgrade and migrate for customer from Magento 1.6 to Magento 2.1.0. I receive this error . The method I use to upgrade is clone from github and using composer to upgrade (not using zip file). Below are the errors I receive after running the upgrade command.

[Zend_Db_Statement_Exception]
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry ‘4-Images’ for key ‘EAV_ATTRIBUTE_GROUP_ATTRIBUTE_SET_ID_ATTRIBUTE_GR
OUP_NAME’, query was: UPDATE `eav_attribute_group` SET `attribute_group_name` = ? WHERE (`attribute_group_id`=10)

Continue reading