Today I’ve struggled with very unusual hack. I’ve got a request from my partner to fix one of his clients Magento stores recently listed on Google as hacked site.
My antimalware tools showed nothing wrong in the code, I’ve found nothing wrong in the git repository (later it appeared that the buddy before committed the malware with git add -A from server).
There was nothing wrong with the SEO content in the source code. Usual meta name and description but fetching the site in Google Webmaster tools as Google showed some Viagra etc. words there.
I’ve realized finally, that the hack is good enough to stay visible only for robots which I’ve managed to debug quickly using:
curl -sD – -L -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" http://somewebsite.com/customer/account/login/
Indeed, the site content was completely different for human visitor and Google robots indexing the store. Debugging file after file from template to controller and repeating the curl call I’ve found out that app/Mage.php had an addition:
@include_once BP . DS . 'app' . DS . 'etc' . DS . 'modules' . DS . "include.php";
Replacing site content only for robots.
Damn people, always watch what you commit from the server to the repo.