Magento – Javascript Malware Issue

Posted on Posted in Magento

Decription: Magento Commerce has received reports of a JavaScript malware exploit that forwards credit card information from checkout pages to an external site. Attacks are likely using Admin or database access to implement the exploit.

It is clear that unpatched Magento shops are being targeted through the original Shoplift path that we identified and patched in February.

How To Determine If Your Site Is Affected: Merchants can determine if they have been affected by this malware issue by:

Opening the main page and lookinging at the page source. Search for the following strings. If any of them is found, the site is compromised.

eval(atob(
regexp("checkout
Regexp('checkout
Regexp("onepage
Regexp('onepage
Regexp("onestep
Regexp('onestep

Please note that the case of those strings can be different (e.g regexp, RegExp, etc.)

Affected versions: All

Recommended action:

  • Scan your site with a tool like magereport.com

  • Apply all patches

  • Check for any unknown files in the system

  • Review and remove all unknown admin accounts

  • Change all remaining admin passwords to strong ones (e.g., they should be long, and include symbols, upper and lower case letters, and numbers)

  • Follow best practices outlined in the Magento User Guide 

  • Review the following sections in the Admin configuration for suspicious code. Remove any suspicious code found.

    • Configuration->General->Design->HTML Head->Miscellaneous Scripts

    • Configuration->General->Design->Footer->Miscellaneous HTML

  • Check for existence of the following files on the server. Review server log files for incoming connections to the following URLs. If found, the site is fully compromised and needs a developer to fix it. Those files are used to collect or transfer stolen card numbers:
    • /downloader/Maged/Maged.php

    • /downloader/cache.php

    • /jquery.php

    • /jquery.pl

    • /css.php

    • /opp.php

    • /xrc.php

    • /order.php

    • /jquerys.php

    • /var/extendware/system/licenses/encoder/mage_ajax.php

    • Note: we have also noticed /js/index.php, a native Magento file, being used to collect stolen information. Make sure to review this file and compare with original.

Origin URLs:

2 thoughts on “Magento – Javascript Malware Issue

  1. Hello! I just wanted to ask if you ever have any issues with hackers?
    My last blog (wordpress) was hacked and I ended up losing many months of hard work due to no backup.

    Do you have any methods to protect against hackers?

    1. Currently I am working on the article about this. General method to protect from hackers is to apply all latest updates to your server software (ex. php, apahce, nginx, mysql, etc.) and apply the available patches to your web application. Every release includes a number of security improvements as well as bug fixes and performance optimizations. We are about to launch this service as a monthly subscription.

      This will not provide 100% protection from hackers but will tremendously increase the time required to hack your website so your websites will fall out of the scope of hackers’ interest.

      Also sometimes hackers use back-doors in community software, so be attentive to the plugins and extensions that you install to the website.

Leave a Reply

Your email address will not be published. Required fields are marked *