Bits n Bobs | Blog | Website Wizardry

Magento “guruincsite” Neutrino Threat

19/10/2015

A new threat to Magento sites was uncovered over the weekend, seeing code inserted into a site which loads “guruincsite.com”; a website known as malicious.

The threat to Magento stores started to be noticed on Saturday (which in itself is smart of the perpetrators; assuming that e-commerce sites will be more vulnerable over the two days that the company running it may not be both trading and working on it) and since then there have been reports of a “massive” amount of infected stores across the internet. While the methods of how of it gets into a Magento site are unknown at the time of writing, the result is that a piece of client-side code, called JavaScript, is inserted into a site which pulls in data from another site known to Google and other search engines as malicious.

The code itself renders creates an HTML iframe which loads “guruincsite.com” (a site I wouldn’t advise you try to visit).

Magento guruincsite Neutrino Threat

Your website browser will also likely recognise the site being shoe-horned into any Magento installation and, hopefully, show you a warning like the one below to protect you from the malicious content on there.

Magento guruincsite Neutrino Malware Alert

The downside, of course, is that your customers are also seeing this warning. It goes without saying that the reputational and trust damage caused by this piece of malware on your store is huge. Even if a potential customer cautiously decides to ignore the red warning and venture onto your site, are they going to trust you with their payment details and make that sale?

How to fix Magento “guruincsite” Neutrino Threat?

If your Magento site’s been targeted, the first thing to do is to try and remove that malicious piece of code. It will, more than likely, either appear in your site’s code or in a setting in the admin.

First thing to note is that the string you are looking for is: “function LCWEHH(XHFER1){XHFER1=XHFER1”

  1. Take a full back up of the theme and database
  2. Check through all of the configuration sections within the Admin, look within text boxes for the string and delete
    Magento Guruincsite Neutrino Malware Code
  3. If it’s in your code, most likely the theme, then you’ll need to search through all of those files and manually remove
  4. Change all Admin passwords to something more secure and harder to crack
  5. Make sure your website has all the latest Magento patches
  6. Re-cache and re-index then revisit the front end to see if the warning message has disappeared
  7. If Google has recently indexed your website, then head to Webmaster tools and fetch Google back so they can see you have resolved the issue

Short on Time?

We can help with this, either go to our Contact Page and give us a call or send a message through this enquiry form and we will get straight back to you.

[contact-form-7 404 "Not Found"]

You can never stop all attempted malicious activity on a website but you can arm yourself to reduce the chances of someone causing you damage to your site’s (and therefore your company’s) reputation.

Make sure that your site is fully up to date and has all known security vulnerabilities addressed with Magento’s published patches. There are several firewall solutions available for Magento, some of them free, that can recognise an attack, recognise when potentially harmful code is being submitted to your site and also inform you of when files have been changed on your store.

Don’t let your store become the victim.