How to Detect and Clean the Guruincite Magento Malware Infection

If you follow us on twitter you may have noticed us mention something about the recent Guruincite(.)com Magento malware infection that has hit several stores. A couple of our partners were infected by this virus. We thought we'd write up some stuff for you to learn how to detect and remove the malware in case you haven't done so yet.

How to detect Guruincsite Infection

The good thing is that detection of this is really easy. To see if your store is infected simply view he page source. All you have to do is right click on any page in the frontend of the store, go to View Page Source and scroll to the bottom.


Here's how to do this in Google Chrome:


Here's how it looks if you're infected versus not infected:

Infected: Not Infected:


How to Remove the Guruincsite infection

The most simple way to clean the infection is to follow these instructions. You don't need a developer:

  1. Log into your Magento admin backend.
  2. Go to System -> Configuration -> Design and scroll down to the Footer section and remove any code you see from the Miscellaneous HTML box, then hit save.
  3. As usual clear your Magento cache and any other caching you are using.
  4. Lastly, change all your Magento admin passwords.

How to Prevent Infection

  1. Ensure that your store is not currently infected by following the instructions above.
  2. Reset all admin passwords if they have not been reset in a while. Delete any admin accounts which you do not recognize and/or you do not need.
  3. Ensure all security patches are applied in the store up-to-date, especially the shoplift bug patch.

SUPEE-6788 will address several issues associated with the vulnerabilities, however much of the code is not reverse-compatible, so extra work may need to be done to make the extensions and customizations you have compatible with this security patch.

Until then you just have to keep checking your site to make sure the source does not resemble what we've described above

What the infection does

It's not 100% clear but the code decrypted and shown on Sucuri's site shows that it sends back all frontend input to the guruincite server. This could mean customer credit cards, passwords, and anything else sensitive. If your site was infected, it seems reasonable to assume that any new customer sensitive data since the infection has been compromised by the hacker.

Also, if you don't remove the malware quickly Google will start blocking you from search results and warning browsers about going to your website. Google has apparently already blocked over 7000 websites. That could mean bad things for your SEO score.

Rest assured however, if your site is trying to send data back to guruincsite(dot)com then it won't be able to since we have already contact the registrar and they suspended the domain's account.