A week or so ago, one of the Magento sites that I administer started spewing out offers for wonderful Gucci handbags, and similar products. Obviously all fingers were pointed at me as the one not looking after the site properly. Now, I always admit that there is some level of irresponsibility involved in allowing anyone at all ftp access to a production site, so I had a real good look to identify the culprit.
You see, I use a couple of little scripts to lock the site down tight for normal use, and it's well nigh impossible to change anything that isn't volatile in the day-to-day running of the site. So I was a bit perplexed to say the least. First check was that the site was locked, and it was. Next up, identify any other files that may have been hacked... there were two, both a part of the Magento theme the site was using. Next up is to work through the logs and see who was logged in at the time the file was last changed. There was only one session - ftp - open at the time each file was changed. Both from the same IP address.
Yes, you've guessed it, the site developers had been compromised, and were uploading hacked code.
For those who may be interested in how I lock my sites down, here's what I do...
( this example is Ubuntu 10.04 LTS, but easily modifiable )
for list in app cron.php cron.sh downloader errors favicon.ico includes index.php install.php js lib logo.gif mage pear pkginfo shell skin .htaccess
if [ -e $list ]
$CHMOD -R o-w+X,g-w+X,u-w+X $list
$CHOWN -R $NOBODY:$NOGROUP $list
$CHATTR -R +i $list
$CHOWN $NOBODY:$NOGROUP .
$CHATTR +i .
$CHATTR -Ri .
$CHOWN -R $WEBOWNER:$WEBGROUP . .htaccess
$CHMOD -R u+wX,g+wX .