October 19, 2015
We are actively investigating reports of Magento sites being targeted by Guruincsite malware (Neutrino exploit kit) and are working with our developers in coordination with Magento hosting partners and community members. We have NOT identified a new attack vector at this time but rather have found that all sites that we have checked show as vulnerable to a previously identified code execution issue for which we released a patch in early 2015; sites not vulnerable to that issue show other unpatched issues. For example, the malware can also take advantage of situations where an administrative account has been compromised through weak passwords, phishing, or any other unpatched vulnerability that allows for administrative access, so it is important to check for fake user accounts or for leftover demo accounts.
Magento merchants are advised to follow best practices to ensure the security of their sites as well as take the steps outlined below. Even if a site has deployed previous patches, they should check for Guruincsite. If their site was compromised prior to patching, through the insertion of fake admin accounts, for example, such accounts would not be removed by the patch and are still vulnerable to malware.
Magento merchants are advised to follow best practices to ensure the security of their sites as well as:
Check their sites for Guruincsite and other malware and security vulnerabilities on their files that could be used in future attacks at HTTP://MAGEREPORT.COM. This is a very useful Magento community project that is not affiliated with Magento.
Search for and remove any malicious scripts that have been injected into their pages (you can then submit an unblock request to Google using Google Webmaster). Instructions from Magereport on finding and fixing these scripts can be found here.
Please review all admin users in your system, including accounts with the username “admin” that could be left over from sample data installations. Remove any accounts which you are not actively using.
Implement all available patches ASAP to close any exploitable vulnerability. Please visit the Magento Security Center for a list of patches.
More information as available will be posted at https://magento.com/security