November, 2018
Archive

By In Magento

Magento 1 java script malware injection via CMS block

Hello, as Magento 1.x closes to it’s end of life (at least officially) everyone should consider moving to Magento 2.x platform. With every new release Magento gets better and new features are available, also upgrade process is quite simplified and now works really great.

Anyway there are lot of stores that still use Magento 1.x and will not move to 2.x for few more months. Those stores also require maintenance and security check, otherwise they can easily be corrupted by various malware codes and expose important data (like customers addresses or even credit card numbers). Be sure that you update Magento on regular base and apply security patches as soon as they are published.

We noticed recently that malware code can be easily injected into CMS block content, that way it will be loaded on every page that has CMS block included in any part of page. In simple words if you have a CMS block in footer code will be loaded on every page on site, including cart, checkout and success pages.

Simple way to check your site would be to login into Magento back end and open one CMS block to edit, turn off wysiwyg editor to see code and check for any code that include java script.
Code might look like this:
< script src=’https://javascript.host/ >< / script >

In general if you see any code that include scripts that are hosted on domain that is not familiar to you there is reason to suspect that is some kind of malware.
If you have access to PhpMyAdmin you can do search through base and check is there similar code in CMS pages or any other table.
Also if you have MageFence module it will search for those strings when you start security check procedure.

We will name few most common strings that you should check:

  • kinfirighbetted.host
  • atob.host
  • bad.guy
  • siteverification.online
  • jquery-ajax.host

Read more