There is a possible new Magento security issue that has been impacting a number of Magento based sites. The sites in question are being blacklisted by Google as a result of malicious code that is being injected into the Magento database and ends up being displayed and executed by visitors in the footer of the infected site.
This exploit is known as the “guruincsite[.]com“ exploit due to the domain in which the injected code was being posed to.
To check if you’ve been exploited, look for the injected code. You can see this in the Admin Panel under:
CMS -> Pages -> Home -> Content
You can also check within the database directly in the ‘cms_page content’ table.
Additional code has also been seen in the Magento admin under: System -> Configuration -> Design -> Footer -> Miscellaneous HTML
You can also see this directly in the database under ‘core_config_data design/footer/absolute_footer’
At this point, we do not believe this is a new exploit. Instead, we believe it is either a remnant from existing exploits that have occurred in the past (including Shoplift) or another attack vector directed toward sites who have yet to apply patches for existing Magento vulnerabilities. While we haven’t found any evidence of mass infiltration as reported during the Shoplift exploit, this is still a serious concern. As with previous security issues in the past, we ask that you follow proper PCI DSS requirements, including the following, to ensure your site is protected:
- Confirm your Magento version is up to date and has all necessary patches applied.
- Perform regular audits on your admin users.
- Use strong passwords. They should be at least 12 characters in length and contain both alpha and numeric characters, per PCI DSS requirements 8.5.10 and 8.5.11. We have a strong password generator, located at: www.nexcess.net/resources/
- Do not reuse passwords
- Secure your Magento downloader URL. This does not need to be open to the world.
- Change your password every 90 days per Payment Card Industry Data Security Standard (PCI DSS) requirement 8.5.9
- Use two-factor authentication for your Magento admin panel, if possible, per PCI DSS requirement 8.3
- Create separate logins for everyone who accesses your Magento admin panel. Do not share a generic admin account, per PCI DSS requirement 8.5.1
- Disable or delete accounts that are not used, such as when an employee leaves or a temporary admin account is created, per PCI DSS requirements 8.5.4 and 8.5.5
- Make sure all the computers you use to access and manage your business are secure. If your personal computer is compromised, this can allow someone access to all of your email as well as the information you send through your browser
- Perform a code review whenever new code, or modules, have been modified, or installed, on your site, per PCI DSS requirement 6.3.2
- Use version control for all of your code. If files are being changed or added to your site outside of version control, it is much easier to detect.