Volume of Magento 1 exploit probes over a 4 day period - Hypernode hosting

Today we’ve proactively changed the configuration of all Magento 1 installs currently on Hypernode to block access to Magento 1’s /downloader.

Since Magento 1 went end-of-life, we’ve noticed an increase in attacks on Magento 1, mostly aimed at /downloader. Just this weekend more than 2000 Magento 1 stores globally were hacked through what appears to be a new “0day” leak in Magento 1. To protect your shop from this, and future exploits, we’ve taken these steps.

Volume of Magento 1 exploit probes over a 4 day period – Hypernode hosting

What we have done

We’ve blocked access to the /downloader location in the NGINX Webserver configuration of all Magento 1 installs currently hosted on Hypernode.

We’ve also blocked a number of known bad actors, associated with the hacks this weekend, on our global firewall. This temporarily stops them from attacking your site, but is easily circumvented, and won’t protect you from future attacks.

Furthermore: later today we will release an additional check on our security scan tool MageReport.com that will hopefully raise awareness amongst Magento 1 users for this critical security issue.

What can you still do?

Most shops don’t require their /downloader/ location to be available to the world. If you need to use your /downloader, we advise you to whitelist IP’s to grant them access as needed. To do so, you need to log in via SSH and edit the file. We described how to do so exactly on our support documentation.

How did we discover these requests?

The Hypernode platform is all about learning and automation. When we learn about a new wave of exploits for Magento, we investigate what could be the cause. Because we are able to analyse many logs at once, we were able to pinpoint this attack, and develop countermeasures.