July 10, 2017: We are receiving reports about massively infected Magento sites with Javascript redirect malware to one of the following sites:
http://mon.setsu.xyz https://tiphainemollard.us/index/? https://melissatgmt.us/redirect_base/redirect.js https://ribinski.us/redirect_base/redirect.jsTo this time, it seems like caused by old unpatched vulnerabilities, same as Guruincsite malware, so mitigation is very similar.
Mitigation
- navigate in Backend to System > Configuration > Design > Footer > Miscellaneous HTML and System > Configuration > General > Design > HTML Head > Miscellaneous Script and delete all code there:
Removing GuruIncSite Malware code from footer in Magento - IMPORTANT: Navigate to System > Magento Connect > Magento Connect Manager and check for updates. Update all third-party extensions, uninstall any non-used third-party extensions
- delete any unknown users at System > Permissions > Users
- Flush Magento cache to apply changes
- Scan your store with our security tester and ensure store is safe, GuruIncSite Malware not found. If not, repeat the steps above (for other CMS pages / static blocks / extensions)
- To prevent it from re-occurance Scan your store for unpatched vulnerabilities and install all patches or upgrade to the latest Magento version.
Posted in: Magento Maintenance