On October 20, 2015 Magento sent announce to all Magento installations via news feed in backend:
New Malware Issue. Make Sure You Have Implemented All Security Patches
We have received reports that some Magento sites are being targeted by Guruincsite malware (Neutrino exploit kit). We have NOT identified a new attack vector at this time. Nearly all the impacted sites checked so far were vulnerable to a previously identified and patched issue; sites not vulnerable to that issue show other unpatched issues. Visit the Magento Security Center at http://magento.com/security/news/important-security-update for more information on how to address this issue and make sure that you have implemented all recent security patches.
The complete malware code is added to footer through miscellaneous HTML in Magento admin, it starts like
Another modification of the code is not obfuscated. Both modifications load
Soon after the hack you may receive notification from Google with Malware infection detected subject, which means that Google has blocked access to your site with “Reported attack page” blocker:
To mitigate the GuruIncSite malware
- navigate in Backend to System > Configuration > Design > Footer > Miscellaneous HTML and delete all code there:
- Navigate to CMS > Pages > Home > Content in Backend, click Hide Editor to switch to code view and delete malicious code between
</script>tag (selected on the screenshot):
- IMPORTANT: Navigate to System > Magento Connect > Magento Connect Manager and check for updates. Update all third-party extensions, uninstall any non-used third-party extensions
- delete any unknown users at System > Permissions > Users
- Flush Magento cache to apply changes
- Scan your store with our security tester and ensure store is safe, GuruIncSite Malware not found. If not, repeat the steps above (for other CMS pages / static blocks / extensions)
- open Google Webmaster Tools and navigate to Security tab and confirm that the malware is removed to open access to your site for visitors:
- To prevent it from re-occurance Scan your store for unpatched vulnerabilities and install all patches or upgrade to the latest Magento version.
If you have any difficulties with removing this malware or have some additional details on the hack, please share this info in comments.
Posted in: Magento Maintenance