Guruincsite Magento Disaster

- E-Commerce

Guruincsite malware - a new Magento Magento Disaster

A new Magento malware has been discovered and it is a malicious script by Guruincsite. Unfortunately, a new attack vector is not identified, but we already know that the disease makes Magento websites vulnerable to a code execution issue. Below, we shed light on how to prevent your ecommerce store from Guruincsite Magento disaster.

UPD (21.10.15) SUPEE-6788 will help you solve the Guruincsite issue

First of all, you should always follow the best security practices, so check our guide to Magento security. As for specific advices aimed at Guruincsite, they are:

  • Use Magereport to scan your Magento store for Guruincsite as well as other malware. Note that it is a community project which is not affiliated with Magento.
  • If you find any malicious scripts remove them. Check Magereport Instructions on finding and fixing such problems.
  • It is also necessary to remove all suspicious admin accounts or accounts that you are not using.
  • Implement all available Magento security patches. You can find the full list here: Magento Security Patches on Firebear.
  • Update every core file and extension.
  • Use a website firewall.

Malicious script that creates iframes from guruincsite dot com has two modifications. The first one is not obfuscated and it looks as follows:

guruincsite malware: simple script

The second modification of the Guruincsite scrypt is obfuscated and injects the “hxxp://” iframe. Here it is:

Guruincsite Magento malware: Obfuscated script

The design/footer/absolute_footer entry of the core_config_datatable is a place where the Guruincsite malware is usually injected, but it doesn’t mean that you should scan only this area. It is necessary to inspect the whole database. Pay attention to code like “function LCWEHH(XHFER1){XHFER1=XHFER1” and the “guruincsite” domain name.

SUPEE-6788 will help you solve the Guruincsite issue

In addition to the previously mentioned information it is also necessary to addthat the Guruincsite malware takes advantage of weak passwords, phishing, or other vulnerability that provides hackers with administrative access. But SUPEE-6788 has been released and it will help you fix the Guruincsite issue. For further information about where to download and install the patch and solve the problem, visit our post about Magento security patches.

How to check which modules are affected by security patch SUPEE-6788a list of extensions that won’t work 100% after SUPEE-6788.

Magento SUPEE-6788 Developer Toolbox – This script attempts to find and automatically resolve major problems from the patch. It does this in two stages: analyze, and fix.