How to fix the GuruIncsite infection

in Security Tags: MagentoMagereportSecurity

This article explains what the GuruIncsite infection is, what the consequences are and how to fix it.

What is the GuruIncsite infection?

Hackers have infected several thousand Magento sites with malicious code. This code creates an iframe to Two kinds of modifications have been spotted in the wild: obfuscated and non obfuscated. Sucuri (online security company) says:

“The malware is usually injected in the design/footer/absolute_footer entry of the core_config_data table, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.”


What are the consequences?

The GuruIncsite infection infects all your websites’ visitors internet browsers via Flash malware. It appears that the goal of the malware is to collect financial data.

How did they get in?

Our preliminary analysis of hacked Magento sites suggests that hackers have abused the Shoplift bug and unpatched WordPress installations to gain access to the Magento database. Are you running a blog on WordPress next to your Magento? Check WordPress for malicious code!

How do I fix it?

Fixing this leak is not an easy task. If you don’t have a lot of knowledge of Magento’s security, we recommend you to hire an Magento developer or specialist who is experienced in Magento security. If you are a developer yourself, use these instructions:

The malware code is added to the footer through miscellaneous HTML in Magento admin. The code in the footer starts with:

(function(){function LCWEHH(XHFER1){XHFER1=XHFER1["\u0073\u0070\u006c\u0069\u0074"]

We recommend you scanning your database for this code AND for the ‘’ domain name. Examined cases showed the malicious code in the “design/footer/absolute_footer” entry of core_config_data (path column) but you may have been infected elsewhere as well.

Mitigate the malware

Navigate in the back-end of Magento to System > Configuration > Design > Footer > Miscellaneous HTML and delete all code written in the box next to ‘Miscellaneous HTML’. After this navigate to CMS > Pages > Home > Content and delete malicious code written between the <script></script> tags.

Once you’ve deleted all the malicious code, flush your Magento cache: Navigate to System > Configuration > Cache Management . Do you have a Hypernode? Flush everything using this command:

magerun cache:flush

Scan your shop with to check whether your shop is safe or not. Not safe? Repeat the steps above for other CMS pages.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.