Magento beschermen tegen de GuruIncsite infection

Tags: MagentomagereportSecurity

De GuruIncsite infection is een kwetsbaarheid waarmee hackers malafide javascript code toe kunnen voegen aan je site, waarmee ze de internetbrowsers van de bezoekers van je shop kunnen infecteren. In dit artikel leggen we uit hoe je dit kunt oplossen.

Vanwege de aard van het probleem is het onderstaande artikel geschreven in het Engels. Met een Engelstalig artikel hopen we shopeigenaren van over de hele wereld een how-to te bieden om het probleem op te lossen en hun shop goed te beveiligen.

What is the GuruIncsite infection?

Hackers have infected several thousand Magento sites with malicious code. This code creates an iframe to Two kinds of modifications have been spotted in the wild: obfuscated and non obfuscated. Sucuri (online security company) says:

“The malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.”

What are the consequences?

The GuruIncsite infection infects all your websites’ visitors internet browsers via Flash malware. It appears that the goal of the malware is to collect financial data.

How did they get in?

Our preliminary analysis of hacked Magento sites suggests that hackers have abused the Shoplift bug and unpatched WordPress installations to gain access to the Magento database. Are you running a blog on WordPress next to your Magento? Check WordPress for malicious code!

How do I fix it?

Fixing this leak is not an easy task. If you don’t have a lot of knowledge of Magento’s security, we recommend you to hire an Magento developer or specialist who is experienced in Magento security. If however you want to try to fix it for yourself, use the information written below:

The malware code is added to the footer through miscellaneous HTML in Magento admin. The code in the footer starts with:

(function(){function LCWEHH(XHFER1){XHFER1=XHFER1["\u0073\u0070\u006c\u0069\u0074"]

We recommend you scanning your database for this code AND for the ‘’ domain name.

Mitigate the malware

Navigate in the back-end of Magento to System > Configuration > Design > Footer > Miscellaneous HTML and delete all code written in the box next to ‘Miscellaneous HTML’. After this navigate to CMS > Pages > Home > Content and delete malicious code written between the <script></script> tags.

Once you’ve deleted all the malicious code, flush your Magento cache: Navigate to System > Configuration > Cache Management . Do you have a Hypernode? Flush everything using this command:

magerun cache:flush

Scan your shop with to check whether your shop is safe or not. Not safe? Repeat the steps above for other CMS pages.


Byte whitepaper

Veel gehoord: FTP is onveilig. In deze whitepaper leggen we precies het verschil uit tussen FTP, FTPS en SFTP. We laten je zien waarom SFTP verreweg de veiligste optie is om je data over te versturen. Na het lezen van deze whitepaper hang je je FTP account voorgoed aan de wilgen.

Please let us know your email address.