Re: Your site is compromised with injected JavaScr...

findicator · ‎05-06-2019

Hello everybody,

we have a Magento site running 1.9.4.1 version and we are facing two FAILs on the Magento Security Scan that are driving me crazy.

The first one is telling us the following:

fail

Compromise

Magento Compromise Injection

Your site is compromised with injected JavaScript malware. (40)
Malicious code signature(s) have been found in these resources:
XXX/skin/frontend/indicator/default/dist/js/main.min.js

This main.min.js file is created with gulp with the required JS files that we need. I checked it in all ways and it doesn't have any kind of malware, but the scan fails anyway each time.

Also we have this another fail:

fail

Patch

Magento SUPEE 5994

SUPEE-5994 - Failed.
Admin login screen detected (APPSEC-977)
Admin login screen detected (APPSEC-977)

But this patch is already installed and we are running a Magento Version much higher right now. I sent an email the past week to security@magento.com so they can help me find what it's going on, but I didn't get any response. Could you help me to solve this?

Thank you!

@msavich

msavich · ‎05-06-2019

Sure, @findicator
Please send me the store URLs you have a problems with in PM.

findicator · ‎06-16-2019

Hello, I tried to send you a new PM but I got the following error:

And I only sent 2 PMs in all the time that I used the forums.

So, the issue is that you find out that the JS error was a false positive and the scan passed correctly but until yesterday, that the scan shows again the following error:

Hello msavich! Sorry to disturb you again but yesterday we reiceved a new "Critical Issue Detected" and it's again:

Magento Compromise Injection
Your site is compromised with injected JavaScript malware. (46)
Malicious code signature(s) have been found in these resources:
.../skin/frontend/indicator/default/dist/js/main.min.js

Could you check it? We didn't change anything and I didn't find malicious code on this JS. Maybe its a falsepositive again? You can find the site on my previous PMs as I can't send you a new one.

Thank you!

msavich · ‎06-18-2019

Hello @findicator

Yes it is a false positive... again...

Since we constantly monitor a new malware code that appears 'in the wild' and add the logic to detect it, sometimes it cause a false positives.

Please expect the fix to become live next Thursday around noon (Central Time).

kevin_rose · ‎11-20-2019

I am having a similar issue with a site I'm working on. The scan is showing an injection located on a different domain than what I'm scanning and I'm unable to see where that redirect is being generated from.

Your site is compromised with injected JavaScript malware.

Your site is compromised with injected JavaScript malware.

Re: Your site is compromised with injected JavaScript malware.

Re: Your site is compromised with injected JavaScript malware.

Re: Your site is compromised with injected JavaScript malware.

Re: Your site is compromised with injected JavaScript malware.