A Web Application Firewall (WAF) is Not the Way to Deal With the Reoccurrence of a Hack of a Website

These days quite a bit of our business dealing with the cleanup of hacked websites is re-cleaning websites after other security companies didn’t clean them up properly before us. Troublingly we recently noticed a company that offers to clean up websites, ASTRA Security, treating that as a normal result and using it to promote using web application firewall (WAF), which they also sell:

Even after clean up and restoring your site, the Magento admin hack may reoccur. The reasons could be a backdoor left by the attacker or simply a vulnerability that may be left unpatched. To avoid such scenarios it is highly recommended to use a WAF or security solution of some sort.

If there is still a backdoor on the website that means it hasn’t been cleaned up, since that would be something would be removed during the cleanup, which someone cleaning up hacked websites should understand.

Part of a proper cleanup is trying to figure out how the website was hacked, so if a vulnerability is left unpatched then things probably have not been done right either.

The providers of WAF’s don’t provide evidence that they provide effective protection against vulnerabilities, while we have seen plenty of evidence that they don’t provide it. It would be even more difficult for them to protect against exploitation of backdoors due to wide variety of their location and what is done through them, which someone cleaning up hacked websites should also understand.

The best way to handle a reoccurrence is to avoid one in the first place by hiring someone like us that will properly clean up the website. If you didn’t do that then the next best solution is to hire someone to re-clean it that will do things properly.

ASTRA Security is Promoting Cleaning Up Hacked Magento Websites Despite Not Knowing Basics of Dealing With Them

While looking around to see if others had already written blog posts about something we ran across while dealing with a hacked website we noticed something from a security company, ASTRA Security, that seems like worth noting, since the company appears to not have a basic understanding of what they are doing. In a post that seems to be built around promoting having that company clean up hacked Magento websites there were multiple glaringly strange claims.

There is this section:

Config.php is an important file of the Magento installation. This file basically facilitates connection between the file system and the database. Config.php contains the database connection credentials. Apart from this, it can also be used to:

  • Define the security keys.
  • To specify the database prefix.
  • To set the default language for your admin panel.

Magento 1

In the first version of Magento, app/etc/config.php contained the list of installed modules, themes and language packages apart from the shared configuration settings.

That file doesn’t exist in Magento 1 and in Magento 2, where the file does exist, it doesn’t contain what is mentioned there.

Things getting odder right after that as this written:

Magento 2

In the newer version which is Magento 2, the app/etc/config.php file is no longer an entry in the .gitignore file. This was done to facilitate better development of the software.

Multiple times, config.php has been infected with malicious code by the hackers to steal user credentials. Here is one such malware sample which was found inside /includes/config.php

The files /app/etc/config.php and /includes/config.php are different files, it seems that this company doesn’t understand that the two files can share a name without being the same.

All of that indicates this company shouldn’t be dealing with Magento websites since they lack a basic understanding of the software, but it appears they don’t have even a basic understanding of web development, as they also wrote this in their post:

Tools like phpMyAdmin are of great help in searching for multiple Magento admin hack infected files in one go. Search for malicious code using phpMyAdmin as shown in the image below.

phpMyAdmin is a database administration tool, so it can’t search files at all, much less search multiple at once. That is very common tool, so failure to understand that seems odd for someone dealing with websites, much less doing something more advanced, namely cleaning up hacked websites.

Unfortunately the security industry seems to be filled with companies that don’t seem to care about having the necessary skills to handle the work they offer and the results are not surprisingly often bad.

If you need someone to clean up a hacked Magento website that actually has years of experience of working with Magento websites and cleaning up hacked ones, we provide that.