Developers frequently feel a lot of pressure to find areas of possible compromise. Such a daunting task can be stressful yet rewarding. Here are some tips to help you get started.

As a developer:

Look for PHP Files in /media or /skin Folders

Check for PHP files in directories where they do not belong. The main two directories that you’ll want to check for sure are the media and skin folders. Also, check the JS directory as that can be an area of compromise.

Look for .htaccess Files in /media or /skin Folders

Because of the default .htaccess restrictions, someone would have to include a .htaccess file to remove those restrictions. So finding the .htaccess in your /media or /skin almost certainly tells you that something has been compromised.

On the same note, you want to make sure that the .htaccess files that are in /var/ and /media/ are still restricting access as they should.

Check var Package

Specifically check var/package/tmp/package.xml as that folder will contain the package definition XML of the last extension that was installed via Magento Connect. You may find your culprit there.

Also, the downloader/.cache directory will include copies of extensions that have been downloaded and installed.

Search your Codebase for Bad Strings

Checking the codebase for bad strings such as base64_*code, file_put_contents, etc. Note that not all base64 codes are evil. Check before removing them. They may just be an encrypted module.

Also consider comparing your codebase against a vanilla magento install to ensure core files haven't been modified.

Check the database for compromises. For example, any bad credit card stealing JavaScript that might be lurking somewhere tucked away in places like footer settings.

Error Logs

Lastly, some hosting providers will have an error_log file that is generated in the web root when something weird happens. Look for any error_logs in places where they should not be in. Should you find such logs, it indicates that a script was ran, but it ran into an error. So then you need to check for that rogue script.

Compromises are found everywhere. They might be on an area listed above or even elsewhere on your site, so make sure you are checking anything that looks out of place. Make sure to be especially watchful if you see changes changes that none of your team remembers making or images that do not follow the Magento standard of images/j/i/jimmy.jpg. As a developer you are often the last line of defense, so assume nothing and check everything.