Guruincsite Attacks have been identified recently on thousands of Magento stores. Hackers inject a malicious script in to the database tables which creates iframes from “guruincsite (.) com”. Over 7900 Magento websites have been found by Google as infected by this malicious script.
There are two kinds of modifications been found; bellow is the simple javascript with iframe.
(copyright: sucuri.net)
and a second one is more obfuscated javascript code, which gives a similar output.
(copyright: sucuri.net)
This attack will inject the iframe with “hxxp://guruincsite[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][.]com/2.php” URL and its harmful website.
The Vulnerability
Security professionals are currently investigating this infection vector and when there is more details will be release soon. Its been suspected that it was some vulnerability in Magento core files or a third-party extension that allowed it to infect the database within a short time.
Since this attack show that there is a vulnerability, which provides access to the database, these hackers or even others could use it to create similar malicious codes to create users accounts and gain access to the magento store; so it is recommended to to review your site’s user list.
How To Fix?
At this point only a temporary fix is possible, which is scanning the whole database tables for code like, “guruincsite” domain or code like “function LCWEHH(XHFER1){XHFER1=XHFER1” and remove the suspected code.
Its said that, it has been injected in the design/footer/absolute_footer entry from the core_config_data table, but there are cases where its been injected in home CMS page as well.
Make sure to update everything: core files and extensions.
You might also need to look in to use a website firewall to protects your site against known attacks, even not yet discovered vulnerabilities, and control access to site admin section only to authorized users.
Once the malicious code is removed you may need clear your Magento cache and your Varnish cache (if you use it), to remove the code from cached cms pages. Then request a security review by Google through Webmaster Tools.
Hope this article helps someone![/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]