Magento Guruincsite Infection
We are currently seeing an attack on Magento sites where hackers are injecting malicious scripts that create iframes from guruincsite dot com. Google has already blacklisted many sites due to this new malware.
Of the 22 pages tested on the site over the past 90 days, 11 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-10-19, and the last time suspicious content was found on this site was on 2015-10-17.
Malicious software is hosted on 1 domain(s), including guruincsite.com/.
Clearing your Magento from malware
There are two modifications to the Magento code. The first script is not obfuscated, the second is:-
To clean the malware on the home page, edit the home page CMS following
CMS >> Pages >> Home >> Content and delete the malicious code as shown below:
To clean the malware in the footer, edit the footer following
System >> Configuration >> Design >> Footer >> Miscellaneous HTML in the admin panel and delete the malicious code
Re-scanning the website, and finishing up
Once all malicious code has been removed, clear all Magento and system caches, then re scan mysql to make sure there were no more injections.
Re-submission to Google
After the malware has been removed, log into Google Webmaster tools and let Google know that the site is now clean.
Preventing re-infection
Ensure you are running the latest Magento version at time of writing this is 1.9.2.1. If your site is not up to date or if you have not applied all of the security patches released over the past few months, your site may be vulnerable and the code is likely to return.
Simple Servers can clean your site if required, please raise a support ticket. A small fee of £65 will be chargeable.
We will update this post when we know more about the new attack vector.