Massive Magento Guruincsite Infection

We are currently seeing a massive attack on Magento sites where hackers inject malicious scripts that create iframes from “guruincsite[.]com“. Google already blacklisted about seven thousand sites because of this malware.

There are two modifications of it. The first script is in not obfuscated:

simple-guruincsite-site

Simple guruincsite script

… and the second one is obfuscated:

obfuscated-guruincsite-script

Obfuscated guruincsite script

The obfuscated scripts inject the “hxxp://guruincsite[.]com/2.php” iframe.

The Magento Guruincsite malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.

We are currently investigating the infection vector and will update as we have more details. At this point, we can suspect that it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time. Make sure to update everything: core files and extensions.

Since the vulnerability provides access to your database, hackers could use it to create malicious admin users; so it is a good idea to review your site users. You might also want to use a website firewall that protects your site against known and even not yet discovered vulnerabilities, and prevents access to site admin areas to unauthorized users.

34 comments
  1. Hi Denis, thanks for the update. How can we go about checking if an any of our magneto sites are affected?

    1. Hi Raj, I’ve just encountered one of our customer shops with this code injected, the way I checked for it was to get a database dump and just do a text search for any keywords that are related to this ‘guru’ js. From there on you will be able to see whether there are any mentions of malicious code and if there are – where it is. In my case I found it in a home CMS page.
      Beware, this will not ‘fix’ or detect the exploit, it is a temporary solution until the cause and a way to prevent this from happening again is found.

    2. Hi Raj, the easiest way is to view the page source of your homepage in your browser. Look out for either of the obfuscated/non-obfuscated scripts from the post. If you find either of these at the bottom of the source file, you are infected.

  2. Hi Denis,

    Thank you very much for sharing this article. I can confirm the malicious code was in the design/footer/absolute_footer entry of the core_config_data table.

    Just an important point to know though, you will need to ensure you clear your Magento cache to remove the code from your pages aswell as your Varnish cache, if you use it. Then you can request a security review from Google in Webmaster Tools. Hope this helps!

    1. I also found that the malicious script created 20 admin accounts inside Magento disguised as @magentoecommerce.com and test accounts. Please make sure you remove these!

  3. I got this on one of my sites – having investigated the source it turns out it wasn’t an exploit – a Russian IP address brute-forced the /downloader URL (I know) and then used the CMS to inject the code using a French IP. It appears to be automated based on the timings. It would have been prevented by blocking /downloader and changing the /admin URL. Brute force detection/IDS/IPS software would also have helped.

    1. I doubt if they got access by brute-forcing given that thousands of sites got infected in a day.

      1. True, in fact looking at the logs further shows the Russian brute-force continuing after the above attack, so probably unrelated.

        This particular site was missing both SUPEE-6482 and SUPEE-6285, so one of these vectors may have been involved. Any word if any fully-patched sites were affected?

      1. The CMS page injection and footer HTML injection happened on separate days, taking around 5 seconds each. Here’s the log snippets for each:

        GET /downloader/
        POST /downloader/
        GET /admin/?PageSpeed=noscript
        POST /admin/?PageSpeed=noscript
        GET /index.php/admin/index/index/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/dashboard/index/key/xxxxxxxxxredactedxxxxxxxx/
        GET /index.php/admin/cms_page/index/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/3/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/11/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/4/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/13/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/6/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/cms_page/edit/page_id/2/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        POST /admin/cms_page/save/key/xxxxxxxxxredactedxxxxxxxx/

        GET /downloader/
        POST /downloader/
        GET /admin/?PageSpeed=noscript
        POST /admin/?PageSpeed=noscript
        GET /index.php/admin/index/index/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/dashboard/index/key/xxxxxxxxxredactedxxxxxxxx/
        GET /index.php/admin/system_config/index/key/xxxxxxxxxredactedxxxxxxxx/?PageSpeed=noscript
        GET /index.php/admin/system_config/edit/section/design/key/xxxxxxxxxredactedxxxxxxxx?PageSpeed=noscript
        POST /index.php/admin/system_config/save/section/design/key/xxxxxxxxxredactedxxxxxxxx/
        GET /index.php/admin/system_config/edit/section/design/key/xxxxxxxxxredactedxxxxxxxx/

        1. Bots don’t need to follow the sequence: get login screen > post login > get dashboard > go to system config > go to design section > post the script into the section. This specific log looks more human to me.

          1. The whole thing happened within 5 seconds with no js/css assets loaded so definitely automated. In fact it reminds me of the sort of logs I’d see when doing Jmeter testing of the front end e.g. you have to load the product page before adding a product to the basket so you can extract the form_key variable used for XSS protection.

        2. So it looks like it tries to log into downloader, fails, then tries to log into admin, succeeds, reads a few links to get the key, then posts a cms page change and the system_config change for the footer.

  4. I would suggest to whitelist admin IPs to allow access to admin pages. No unauthorized IP should be allowed to access /admin area at all. Also have a security extension to prevent such attacks.

  5. One of our client’s sites apparently got hacked with this. Google is saying it’s because of the guruincsite domain, however I’m so far unable to find any of the referenced code anywhere on the site. What I DID find however was a bunch of javascript added to some cms blocks and the core_config_data table that was looking for the checkout pages and posting data to a third party. Make sure you check for stuff like that as well.

  6. A client of ours recently got this as well. We found the injection in the design/footer/absolute_footer config option. The client was on v1.6 but with all security patches enabled.

    We should group together or commonalities to see if we can figure out how this injection was made possible…

  7. Hmm, I got the feeling this comes off the back of the shoplift attacks. Looks like the backdoor sellers finally got a bidder.

    1. Seems to be, at least partially. Looks like a type of Magento Exploitation kit trying multiple vulnerabilities, until they find one that works.

  8. Which vulnerabilities are used for the attacks?
    Is this by the “Shoplift” security Issue (Patch SUPEE-5344)?

  9. i removed this from database and clear the cache also but still my site is give this “The site ahead contains malware” so please provide me a solution…

    1. Did you patch your site with 6482 Patch? Make sure your site, all core and local modules are patched.

Comments are closed.

You May Also Like