Hacking a Bitrix Site: Site Management - Backdoor in CMS Bitrix
To protect your Bitrix site from hacking and backdoors, it is recommended to follow these tips:
- Install all updates and patches provided by 1C-Bitrix developer. They contain fixes for vulnerabilities, including those related to backdoors.
- Use only licensed versions of 1C-Bitrix to avoid risks associated with using pirated copies.
- Change default file and folder names to reduce the risks of attackers finding backdoor files.
- Use complex passwords to access the site's administrative panel. Also, do not use the same passwords for different sites.
- Configure file and folder access rights on the server. For example, files with confidential information should have limited access.
- Install antivirus software on the server and regularly check the site for malware.
- Backup your site data regularly so that you can recover after a hack.
- By following these recommendations, you can reduce the risks of hacking and backdoors on Bitrix sites.
If your website on 1C-Bitrix has redirects to suspicious resources, a JavaScript miner, or the website is not functioning properly as before, it is likely that the website has been hacked.
Hacking a website on 1C-Bitrix often occurs due to the presence of a backdoor in the website's files. A backdoor means the ability to gain administrator privileges without using a login and password, for further destructive actions on the website.
If you have detected signs of hacking, then you need to first remove all files that were not installed together with CMS Bitrix, as well as files that contain dangerous code. In addition, it is necessary to check for the presence of the following files:
- bitrix/admin/mobile/new.php
- bitrix/tools/new.php
- bitrix/new.php
- bitrix/settings.php (not to be confused with .settings.php!)
- bitrix/mobile/settings.php
- bitrix/mobile/config.php
- bitrix/tools/settings.php
- bitrix/tools/config.php
If these files exist, they need to be deleted immediately as they may contain a backdoor.
If you have multiple sites on 1C-Bitrix on your server, you can use a command to search for backdoor files. For ISPmanager servers, the command will look like this:
cd /var/www && find . -maxdepth 5 -type d -name 'bitrix' | cut -d'/' -f2 | sort | uniq | xargs -I{} find ./{}/data/www -type f -name new.php -o -name settings.php | xargs -I{} grep -ilE '(new CUser(|->Authorize()' {}
Note that the selection may include sites that are located at the standard path for ISPmanager and there may be false positives.
To prevent 1C-Bitrix website hacking, it is also recommended to:
- Use only licensed software.
- Install all updates for the Bitrix CMS and components used on the site.
- Do not use weak passwords and do not allow the use of the same passwords for different users.
- Regularly check the site for vulnerabilities and potential security threats.
- Use additional security tools such as firewalls, antivirus software, etc.