New JavaScript Malware Issue

November 16, 2015

Magento Commerce has received reports of a JavaScript malware exploit that forwards credit card information from checkout pages to an external site. Attacks are likely using Admin or database access to implement the exploit. No new attack vector has been identified and it appears most impacted sites have not implemented the February 2015 Shoplift patch, or the patch was implemented after they were compromised. Attackers can also gain Admin access due to weak passwords, phishing, and other unpatched vulnerabilities.

It is clear that unpatched Magento shops are being targeted through the original Shoplift path that we identified and patched in February. The latest issue serves as a stark reminder that Magento merchants should follow security best practices and implement ALL security patches in a timely manner. Sites that did not implement patches immediately after release should carefully review files, configurations, and backend accounts, as they could have been compromised prior to patch installation.

How To Determine If Your Site Is Affected:
Merchants can determine if they have been affected by this malware issue by:

  • Opening the main page and lookinging at the page source. Search for the following strings. If any of them is found, the site is compromised.

    • eval(atob(

    • the case of those strings can be different (e.g regexp, RegExp, etc.)

  • Even if you don’t find any of these strings, it is recommended that you review the Admin configuration, including Admin accounts, follow best practices, and apply all patches.

To Remove Malicious Code:

  • Scan your site with a tool like

  • Apply all patches

  • Check for any unknown files in the system

  • Review and remove all unknown admin accounts

  • Change all remaining admin passwords to strong ones (e.g., they should be long, and include symbols, upper and lower case letters, and numbers)

  • Follow best practices outlined in the Magento User Guide 

  • Review the following sections in the Admin configuration for suspicious code. Remove any suspicious code found.

    • Configuration->General->Design->HTML Head->Miscellaneous Scripts

    • Configuration->General->Design->Footer->Miscellaneous HTML

Additional Things to Check:

  • Check for existence of the following files on the server. Review server log files for incoming connections to the following URLs. If found, the site is fully compromised and needs a developer to fix it. Those files are used to collect or transfer stolen card numbers:

    • /downloader/Maged/Maged.php

    • /downloader/cache.php

    • /jquery.php

    • /

    • /css.php

    • /opp.php

    • /xrc.php

    • /order.php

    • /jquerys.php

    • /var/extendware/system/licenses/encoder/mage_ajax.php

    • Note: we have also noticed /js/index.php, a native Magento file, being used to collect stolen information. Make sure to review this file and compare with original.

Make Sure You Have Implemented All Security Patches

If you haven’t already deployed the Shoplift patch, do so immediately. Patches are available on the Community Edition Download Page and in MyAccount. If you find evidence in server logs or otherwise that credit card information may have been sent externally from your site, you may wish to consider notifying your customers during the exposed period and also your merchant account provider depending on your incident response plan. If you don’t have one, we suggest you review the following sample plan to start your own.