Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

mail_open
UnderstandE version of magmi appears not to be secure
David Patterson
Member
May 8, 2016 - 1:58 pm
Member Since: April 13, 2014
Forum Posts: 127
sp_UserOfflineSmall Offline

I was hosting with 1and1.co.uk. I was happy with their services, the value, and the performance of my site, however every month or two i would get an email from 1and1 which reads something like:

Anti-virus scan reports: Your 1&1 webspace is currently under attack. Our team of experts has now analyzed the incident. They ascertain that your 1&1 hosting account has been attacked via an insecure script you installed on your webspace.
1. Analysis of the attack
1.1 The hackers processed the attack through a security leak in your software:

Magento

1.2 Via this security leak, they uploaded the following malicious files to your webspace:

./magento/skin/test.php
./magento/magmi-importer/plugins/extra/datasources/test.php
./magento/magmi-importer/plugins/base/general/cache/config.php

I decided to move the site to a ‘simple servers’ hosting account. Simple servers informed me that the magmi folder is not secure. I have attached a screen grab from https://www.magereport.com. I am using the Understanding-e version of magmi (see image attached). Simple Servers fee for securing magmi is £78.00. I had followed the understanding-e videos when i installed magmi (approx. 3 years ago). My question for @matt or @Dave1 is do you have any video tutorials which show how to secure magmi which would show magmi as secure in a https://www.magereport.com report?

UE-magmi.JPGImage Enlarger

magereport.JPGImage Enlarger

sp_PlupAttachments Attachments
Carl...O

Excellent
May 10, 2016 - 12:34 pm
Member Since: June 11, 2015
Forum Posts: 35
sp_UserOfflineSmall Offline

As of today all my images in magento have disappeared and my magmi import will now not go over 5% (for a tiny file and i have never had this problem before with much bigger files) so i am wondering if this problem is linked?

There are other images missing though in magento which were not uploaded via magmi so i am not sure what has gone on here.

leonm

Excellent
May 10, 2016 - 2:23 pm
Member Since: June 30, 2015
Forum Posts: 12
sp_UserOfflineSmall Offline

So they charged you £78 to change folder permissions, that’s what it’s looks like.

leonm

Excellent
May 10, 2016 - 2:39 pm
Member Since: June 30, 2015
Forum Posts: 12
sp_UserOfflineSmall Offline

just out of interest i put up a quick demo site with demo content and ran it through magereport. Everything was fine.

David Patterson
Member
May 10, 2016 - 7:14 pm
Member Since: April 13, 2014
Forum Posts: 127
sp_UserOfflineSmall Offline

leonm said
So they charged you £78 to change folder permissions, that’s what it’s looks like.  

@leonm – £78 is what they quoted. I thought it sounded a bit steep so i was hoping the solution would be available on one of the understandinge videos.

leonm said
just out of interest i put up a quick demo site with demo content and ran it through magereport. Everything was fine.  

@leonm – I wonder is it because i am using a different version of magmi or a different version of the understandinge magmi skin. I am using Magmi version: 0.7.18 and Theme Version: 1.1 (see attached).

@Carl…O – Sounds strange. When i run my site through magereport.com it reports that magmi is unprotected and advises the following fix:

https://support.hypernode.com/knowledgebase/how-to-secure-magmi-2/

magmi-version.JPGImage Enlarger

sp_PlupAttachments Attachments
Paul Cartwright
West Midlands, UK

Partner
May 11, 2016 - 2:15 pm
Member Since: January 7, 2015
Forum Posts: 414
sp_UserOfflineSmall Offline

Rather than paying £78 to change folder permissions, you could the change the name of the magmi folder so its not so easy to spot where it is and in cpanel you can set it so you need to enter a password to access the magmi url.

I’m pretty sure Matt & Dave did tutorial on securing magmi further.

Hope this helps
Paul

Everyday is an opportunity to learn something new

leonm

Excellent
May 11, 2016 - 4:11 pm
Member Since: June 30, 2015
Forum Posts: 12
sp_UserOfflineSmall Offline

i think the version i used was 1.2, are you on nginx? If you have ssh access have you tried implementing the fix. What is the fix they are telling you to do

David Patterson
Member
May 11, 2016 - 7:29 pm
Member Since: April 13, 2014
Forum Posts: 127
sp_UserOfflineSmall Offline

Thanks Paul. I will do that tutorial on ‘SECURING MAGMI FURTHER’. I must have left that tutorial out during the magento/magmi setup as i was with 1and1 at the time which didnt use cpanel:

https://understandinge.com/lesson/imp-0010/

I will also update to the latest version of the understandinge magmi.

Thanks.

Dave Furness

Founder
May 12, 2016 - 9:26 am
Member Since: July 19, 2013
Forum Posts: 4606
sp_UserOfflineSmall Offline

Thanks for jumping in Paul, yep securing Magmi further is the one you want :)

Dave

Every expert was once a beginner

 

Why Should You Join UnderstandingE?

 
  • Access to over 500 step-by-step video tutorials
  • +20 video courses available
  • Magento, M2E Pro, Magmi, eBay, Amazon & Design all covered
  • Everything is in 100% Plain English
  • Learn how to build your own multi-channel software for eBay & Amazon
  • Access to the community forums, meet fellow business owners like yourself

Join Now with 2 Clicks

 

Join now for less that £1 per day you can gain access to over 400 step-by-step video tutorials & learn how to build your very own multi-channel software.

 

Forum Timezone: Europe/London

Most Users Ever Online: 1012

Currently Online:
9 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Jim @ Moogento: 688

Steve Froggatt: 514

Badeth - UE: 513

Jimbob: 453

Paul Cartwright: 414

Forum Stats:

Groups: 6

Forums: 37

Topics: 5223

Posts: 27502

Administrators: Matthew Ogborne: 4565, Dave Furness: 4606