Magento Security Exploit – Neutrino exploit kit/ GuruInc hack

UPDATE: Magento has delayed the release of the patch to early next week.

News is emerging of a large attack on Magento sites coming from malicious scripts that create irframes from ‘guruincsite’ dot com. Google has blacklisted thousands of sites because of it and Magento has posted a update on their site. The exploit was first discussed in a Sucuri blog post, who advised that:

“The malware is usually injected in the the design/footer/absolute_footer entry of the core_config_datatable, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.”

The post also suggests that core files and extensions should be updated, and site users reviewed, as the vulnerability could have provided access to your database, giving hackers the ability to create malicious admin users.

Another check can be done at which will scan your site for known Magento security vulnerabilities.

NOTE: Those who follow the Magento Patching Process should be safe, as is was patched out in early 2015.

For more information about the exploit you can also check out the malwarebytes blog.

We will update more as information becomes available.

Protection against this, and future unknown vulnerabilities could be found with a web application firewall like Tenzing Security Shield.

Aisling McCaffrey

Demand Marketing Specialist at Thinkwrap
Aisling is our Demand Marketing Specialist at Thinkwrap, and loves working with both technology and humans. She studied International Business (concentrating in Marketing) and has spent several years living and working in China, mostly in Shanghai, where she became passionate about global innovation and how the use of social media changes in different cultures. Aisling likes to keep up on internet trends - from business to memes - and is always looking for new ways to learn or entertain herself.