wesupport

Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

How to clean Guruincsite malware from hacked Magento web sites and remove Google blacklisting

by | Oct 20, 2015

Since 17th Oct, we’ve have been receiving website hack recovery requests from Magento shops infected with Guruincsite,com malware.

There are two variations of the malicious code – one that has obfuscated code (gibberish) containing function LCWEHH(XHFER1){XHFER1=XHFER1, and another that shows xhr.open('GET', 'http;//guruincsite,com/1,php'.

See how we secure your websites from malware!

Most of the hack recovery requests were from sites blacklisted by Google, and as of this writing, Google has listed 8527 domains infected with this malware.

Website owners reported seeing an alert “The site ahead contains malware” in browsers, see “Malicious software is hosted on 1 domain(s)” when clicking on Google search results, or got a mail from Google webmaster with the subject ” [Webmaster Tools] Malware infection detected“.

Google blacklisting notification due to Magento Malware

Google webmaster mail notifying infected site.

 

[Update 20th Oct] – It appears that this Guruincsite malware is inserted using the infamous Neutrino Exploit Kit which exploits the Shoplift vulnerability for which patches were released in Feb 2015. So, your best defense is to upgrade/patch Magento ASAP.

As part of our website support service, we’ve been able to clean this malware in a majority of the sites within 2 hours and got Google to de-blacklist these sites within 4 hours. Here’s how we did it.

[ Want to secure your websites from hacks? Our website technicians will audit and protect your websites in no time. ]  

Removing the Guruincsite malware and de-listing from Google

As of now, the malware is seen to infect the Home CMS Page and Footer.

Cleaning Magento site home page

The plain text malware is till now found in the home page content. It’ll look something like this:

Home page Guruincsite malware code

Malicious code found in Magento home CMS pages

 

To clean the malware, we edited the home page CMS by going to CMS >> Pages >> Home >> Content and deleted the malicious code as shown below:

Removing Guruincsite malware from home CMS page

Removing Guruincsite malware from home CMS page

 

Cleaning the Magento site footer

The code found in footer is usually obfuscated code (gibberish) as shown here:

Malicious code found in Magento footer

Malicious code found in Magento footer

 

To clean the malware, we edited the footer by going to System >> Configuration >> Design >> Footer >> Miscellaneous HTML in the admin panel and deleted the malicious code as shown below:

Removing malicious Guruincsite code from Magento footer

Removing malicious Guruincsite code from Magento footer

 

In several sites we also saw multiple admin privilege accounts and phishing URLs in files located in var folder of Magento.

These were also removed on a case-to-case basis.

[ Optimize your websites for better experience! Our website technicians will audit and fix your websites at affordable pricing. ]

Re-scanning the website, and finishing up

Once all malicious code were removed, all Magento cache, and system cache (like Varnish, APC cache, etc.) were cleaned to make sure only clean files were present in the site.

The whole site files and database dump was then checked to make sure there are no more malicious code.

[Update 20th Oct] – We’ve seen a few sites which were hosted in insecure shared servers. This could’ve made the hack easier to execute using the Neutrino Exploit Kit. So, where possible, we’re implementing additional virtual host isolation in shared hosting servers.

For some websites, clean backups were available that was just a few hours old. Those websites were restored using the available backups.

Re-submission to Google

Once we were reasonably sure that all malware has been removed, Google Webmaster tools was used to let Google know that the site is now clean. We were able to get websites back online in as little as 4 hours.

Preventing re-infection

All the affected websites ran older versions of Magento. The latest Magento version is 1.9.2.1. If your site is not of this version or if you have not applied any of the security patches released over the past few months, your site is likely to be vulnerable.

For the sites that we restored, we applied patches or upgraded Magento to make sure it won’t be infected again. In some servers, web application firewalls were installed and configured to prevent infection.

New exploits come out all the time, and some of them, like this Guruincsite malware can hit with little or no notice. It is best to protect your website with a professional preventive server management plan that will keep your servers and site secured with multiple layers of security.

If you’d like to know how to make your websites more secure and reliable, we’d be happy to talk to you.

 

Is your site hacked?

We can help you remove malware, do a full-site security testing and remove your site from Google blacklist.

RECOVER YOUR SITE NOW!

var google_conversion_label = "Blp0CLCojHIQ0aD71QM";

14 Comments

  1. Liz

    Do we know what the aim of the hack was? ie if you still visited the infected website, as the warning window gave you an option the ignore warning, do we know what the effect of that may be?

    Reply
    • Visakh S

      Hi Liz,

      To quote Google Safe Browsing page;

      What happened when Google visited this site?
      Of the 4 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent.

      This means, if you ignored the warning, your computer would be infected by a trojan, possibly to steal any possible login details and/or turn your computer into a zombie in a botnet. So, a visitor to these sites would be turning their computers into a weapon that they can use to launch DDOS attacks – in addition to losing personal information like login details, credit card information etc.

      Reply
  2. paliwal jewelers

    Thank you Visakh S for this article. you are life savior. we were exactly into similar problem and your article saved us.
    Thank you so so much!!!

    Reply
    • Visakh S

      Glad to know you found it useful. 🙂

      Reply
  3. Chris

    Hi is there a pattern that we can use to block this using a software firewall? How have you done it?

    Reply
    • Visakh S

      Hi Chris,

      By all indications, it was a new exploit using the infamous Neutrino exploit kit on the old Shoplift vulnerability for which Magento released the patch SUPEE-5344 in Feb.

      So, applying the patch was the first step.

      Second, we changed the default URLs for /admin and /downloaders, so that large scale hacks using exploit kits wont work.

      Third, we limited admin access to specific IPs to keep our un-authorized users.

      Fourth, on servers which had mod_security (all the servers we manage do have it), custom mod_sec rules were added based on specific attack signatures.

      Reply
      • Shawn

        While we weren’t impacted by this exploit, one thing we discovered is that you can actually TURN off the Shoplift patch in Magento Backend! Magento put this ability in because the shoplift patch was causing so many problems with people’s extensions.

        I assumed that since we had installed the patches, we were protected from shoplift. That is NOT the case!

        People need to know this!

        Reply
  4. Andrew Taylor

    Very helpful, I just inherited a client’s site with the malicious code hidden away in the footer and 20+ admin users.

    Reply
    • Visakh S

      The multiple admin users are likely to be due to the Shoplift vulnerability disclosed in April 2015. So, looks like the shops were not updated in a while. As I said in the article, if you keep the sites updated or patched, the infection is not likely to happen.

      Reply
  5. L Nishshanka

    thxxxxxxxxxxxx………….

    Reply
    • Visakh S

      🙂

      Don’t forget to apply all the patches released till now. Here’s the list for community edition:
      SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, SUPEE-3762, SUPEE-1533, APPSEC-212

      Also refer https://magento.com/security/patches

      SUPEE-5344 protects you against Shoplift vulnerability, which is what the Neutrino Exploit Kit apparently is using to insert Guruincsite code.

      Reply
  6. mary

    Visakh S, my developer whipped out entire site after making a backup copy of it. Then he did install new magento, but i lost my site. What would be your suggestions?

    Reply
    • Visakh S

      Hi Mary,

      I’d suggest you restore your backup to a local machine (such as your laptop), clean out the malware as described in this article (also take care too scan files and database as well). Once you are sure all malware is removed, restore the clean copy to live.

      If you are not sure how to do it, we can do it for you. Please submit a request below:
      Emergency administration request

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Categories

Tags