Select Page

How to clean Guruincsite malware from hacked Magento web sites and remove Google blacklisting

How to clean Guruincsite malware from hacked Magento web sites and remove Google blacklisting

Since 17th Oct, we’ve have been receiving website hack recovery requests from Magento shops infected with Guruincsite,com malware.

There are two variations of the malicious code – one that has obfuscated code (gibberish) containing function LCWEHH(XHFER1){XHFER1=XHFER1, and another that shows xhr.open('GET', 'http;//guruincsite,com/1,php'.

See how we secure your websites from malware!

Most of the hack recovery requests were from sites blacklisted by Google, and as of this writing, Google has listed 8527 domains infected with this malware.

Website owners reported seeing an alert “The site ahead contains malware” in browsers, see “Malicious software is hosted on 1 domain(s)” when clicking on Google search results, or got a mail from Google webmaster with the subject ” [Webmaster Tools] Malware infection detected“.

Google blacklisting notification due to Magento Malware

Google webmaster mail notifying infected site.

 

[Update 20th Oct] – It appears that this Guruincsite malware is inserted using the infamous Neutrino Exploit Kit which exploits the Shoplift vulnerability for which patches were released in Feb 2015. So, your best defense is to upgrade/patch Magento ASAP.

As part of our website support service, we’ve been able to clean this malware in a majority of the sites within 2 hours and got Google to de-blacklist these sites within 4 hours. Here’s how we did it.

[ Want to secure your websites from hacks? Our website technicians will audit and protect your websites in no time. ]  

Removing the Guruincsite malware and de-listing from Google

As of now, the malware is seen to infect the Home CMS Page and Footer.

Cleaning Magento site home page

The plain text malware is till now found in the home page content. It’ll look something like this:

Home page Guruincsite malware code

Malicious code found in Magento home CMS pages

 

To clean the malware, we edited the home page CMS by going to CMS >> Pages >> Home >> Content and deleted the malicious code as shown below:

Removing Guruincsite malware from home CMS page

Removing Guruincsite malware from home CMS page

 


Is your site hacked?

We can help you remove malware, do a full-site security testing and remove your site from Google blacklist.

RECOVER YOUR SITE NOW!

14 Comments

  1. Do we know what the aim of the hack was? ie if you still visited the infected website, as the warning window gave you an option the ignore warning, do we know what the effect of that may be?

    Reply
    • Hi Liz,

      To quote Google Safe Browsing page;

      What happened when Google visited this site?
      Of the 4 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent.

      This means, if you ignored the warning, your computer would be infected by a trojan, possibly to steal any possible login details and/or turn your computer into a zombie in a botnet. So, a visitor to these sites would be turning their computers into a weapon that they can use to launch DDOS attacks – in addition to losing personal information like login details, credit card information etc.

      Reply
  2. Thank you Visakh S for this article. you are life savior. we were exactly into similar problem and your article saved us.
    Thank you so so much!!!

    Reply
    • Glad to know you found it useful. 🙂

      Reply
  3. Hi is there a pattern that we can use to block this using a software firewall? How have you done it?

    Reply
    • Hi Chris,

      By all indications, it was a new exploit using the infamous Neutrino exploit kit on the old Shoplift vulnerability for which Magento released the patch SUPEE-5344 in Feb.

      So, applying the patch was the first step.

      Second, we changed the default URLs for /admin and /downloaders, so that large scale hacks using exploit kits wont work.

      Third, we limited admin access to specific IPs to keep our un-authorized users.

      Fourth, on servers which had mod_security (all the servers we manage do have it), custom mod_sec rules were added based on specific attack signatures.

      Reply
      • While we weren’t impacted by this exploit, one thing we discovered is that you can actually TURN off the Shoplift patch in Magento Backend! Magento put this ability in because the shoplift patch was causing so many problems with people’s extensions.

        I assumed that since we had installed the patches, we were protected from shoplift. That is NOT the case!

        People need to know this!

        Reply
  4. Very helpful, I just inherited a client’s site with the malicious code hidden away in the footer and 20+ admin users.

    Reply
    • The multiple admin users are likely to be due to the Shoplift vulnerability disclosed in April 2015. So, looks like the shops were not updated in a while. As I said in the article, if you keep the sites updated or patched, the infection is not likely to happen.

      Reply
  5. thxxxxxxxxxxxx………….

    Reply
    • 🙂

      Don’t forget to apply all the patches released till now. Here’s the list for community edition:
      SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, SUPEE-3762, SUPEE-1533, APPSEC-212

      Also refer https://magento.com/security/patches

      SUPEE-5344 protects you against Shoplift vulnerability, which is what the Neutrino Exploit Kit apparently is using to insert Guruincsite code.

      Reply
  6. Visakh S, my developer whipped out entire site after making a backup copy of it. Then he did install new magento, but i lost my site. What would be your suggestions?

    Reply
    • Hi Mary,

      I’d suggest you restore your backup to a local machine (such as your laptop), clean out the malware as described in this article (also take care too scan files and database as well). Once you are sure all malware is removed, restore the clean copy to live.

      If you are not sure how to do it, we can do it for you. Please submit a request below:
      Emergency administration request

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES