Thousands of Magento Stores Infected by GuruIncSite Malware

Over the weekend, a large number of Magento sites have been hit by a massive javascript injection hack referred to as the GuruInc malware. Allegedly thousands of stores are already infected. The malware exploits a vulnerability in Magento or a 3rd party extension to inject a piece of javascript malware into the Magento database, which then infects any visitor to the site. Google has currently blacklisted more than 8,000 domains affected by the hack.

Online security company Sucuri Labs said the attack involves the injection of malicious scripts through iframes from the domain guruincsite.com. Both an obfuscated and non-obfuscated version of the infection has been reported.

The malicious code is usually added in the Footer - Miscellaneous Scripts section or in a CMS page of the Magento installation.

Sucuri is investigating the spread of Guruincsite and suspect "it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time." However, the actual attack vector is yet to be discovered.

Researchers from Malwarebytes say guruincsite shares several similarities with a campaign using the Neutrino Exploit Kit. The "neitrino" cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.

Is my store infected?

Check the page source of your Magento home page and look for code similar to the below snippets. You can also scan your site for free using the following tools:

https://www.magereport.com
https://sitecheck.sucuri.net

These tools will detect the GuruInc exploit as well as other malware and known vulnerabilities.

Mitigation

To remove the guruincsite malware from an infected Magento site, you should follow these steps:

  1. Navigate to System > Configuration > Design > Footer > Miscellaneous HTML and remove the malicious code there. The hack can be identified by the presence of the code function LCWEHH(XHFER1)[...]. If you prefer to edit the database directly, look for the design/footer/absolute_footer entry of the core_config_data table.



  2. Navigate to CMS > Pages > Home > Content and delete the malicious code in the <script> tag (selected on the screenshot):



  3. Delete any unknown admin users from System > Permissions > Users.
  4. Finally, make sure that you are running the latest version of Magento and that all security patches have been applied.

As a hacker may have gained access to your database credentials, we also recommend that you change the database user and password as well as the password of all Magento admin users.

When you have completed the above steps, please re-run a vulnerability check to confirm your site is clean.

Re-submission to Google

If Google has blacklisted your site, make sure to log into Google Webmaster Tools and from the Security tab confirm that the malware has been removed from the site. The warning should disappear after a couple of hours.

Improved Connectivity in the European Region with a New UK Data Center Location

New UK Data Center

Today we are thrilled to announce that we have added a new data center location in the UK to our rapidly expanding hosting infrastructure, aimed to strengthen our presence in the European region. The availability of a server location in the EU has been one of the most sought after requests for a long time and now we are finally able to meet this demand.

E-commerce owners that are targeting the European market now have the opportunity to host their website in much closer proximity to their website visitors, resulting in faster page loads and better SEO value. We have chosen to partner with RapidSwitch in order to build a state-of-the-art hosting experience grounded in the heart of the United Kingdom. RapidSwitch operates in total 7 data centers throughout the UK, backed by premium Tier-1 network carriers ensuring excellent connectivity across all of Europe and Scandinavia.

Starting from today, customers can choose whether to deploy their web site on a server in the United States or the United Kingdom (EU) simply by making a selection on the order form. All our dedicated and shared hosting plans are available from both data centers with only some minor differences in server specifications and availability.

Choose Data Center

A Walkthrough of the New Customer Portal

Along with the new look and feel of our main website, we have also upgraded the client area with a completely new design and several added features aimed to improve the user experience and workflow when managing your account. In this blog post I would like to go through the major changes to help you get familiar with the new interface.

Dashboard

The most important information regarding your account is right at your fingertips with the new Client Area Dashboard. In the right-top section you will find important alerts or pending tasks that needs action, such as an unpaid invoice or expired credit card. Just click on the item to navigate to the respective area.



Service Details

This section is showing a summary of all your services divided into product categories. By clicking on the box you will be taken to the detailed service listing page.




Account Status

The account status section shows a snapshot of your account balance and due invoices. If you have a credit on your account, it will show as a positive balance. The Pay Now button will conveniently take you to the mass payment page where you can complete payment in one single transaction.



Support Status

This section is showing the support tickets currently being worked on as well as the number of resolved tickets in your account. The “Avg. Response” and “Ticket Queue” status shows in real-time the current workload of our support team and how long you can expect to wait before you get a reply. The average ticket response time is based on data from the last 72 hours.



Affiliates Dashboard

If you have activated your affiliate account you can easily monitor your earnings and how well you are doing from our Affiliate Dashboard. Keep track of the number of referred visitors and your signup conversion rate. If you have not yet joined our affiliate program, do it today! It is completely free and a great way to get paid by referring your friends and business partners to ProperHost.

My Services

From the My Services section you will find a complete listing of all your products and services with us. You can click on the Manage button to view the details of a particular service/product.

Billing

Manage Credit Card (recurring billing)

Your credit card can be stored on file to enable automatic recurring billing, thus eliminating the need to manually pay each invoice. You can set the default payment method (credit card or PayPal) by going to Edit Account Details -> Payment Settings. The funding source can also be specified per invoice/service.


Prepayment / Add Funds

To simplify payments and support more flexible billing we have added an option to add funds as account credits by prepaying a specified amount. The funds will be deposited to your account balance as credits and can be used to pay for products and services. This alleviates the need to manually submit payment for each invoice and helps to ensure you don’t miss any payments by accident. Pre-deposited funds can only be used towards current and future invoices, and cannot be withdrawn.


Support Ticket View

The support ticket section has been redesigned for better navigation and look and feel. We have also fixed the bugs that were present in the old client area, such as the inability to view certain type of attachments.

Ordering Screen

We have streamlined the complete order process to reduce the number of steps and clicks needed, making it much easier to order additional services.

Known Issues

Although the new client area has been extensively tested and we are not aware of any major issues at this point, there are still a few minor issues that remains.

  1. Mobile support. The client area is not 100% mobile-friendly yet and certain pages might not look good on a tablet or mobile device. This is something we are actively working on, and we hope to have a fully responsive, mobile-friendly version out soon!
  2. The “total price” for our new Cloud Servers is not updated correctly on the order form, and does not reflect the actual price. Please refer to the pricing on our website: https://www.properhost.com/magento/cloud
  3. SSL certificates are showing a price “per month” on the order form. The price is correct, but the billing cycle is yearly.

If you spot any other issues or bugs, or have any general comments, suggestions or ideas we appreciate your feedback!

Sindre Moe
Director of Operations
ProperHost.com

New ProperHost Website Launched

After several months of hard work, we are excited to finally present the brand new ProperHost website and client area! The new website has been designed from the ground up with usability in mind, offering simplified navigation and a unified appearance across different devices and screen sizes.

Mobile-Friendly

More and more people are using their mobile phone or tablet to browse the web, and as such it is increasingly important to offer a good user experience across different screen sizes and devices. Even Google has introduced mobile usability as a key ranking factor into their search engine algorithm. Like many other websites today, we adapted the principles of response web design and mobile-first approach when we created our new website. For the technically minded, the site is built using the Foundation CSS framework and HTML5 + jQuery. Take the Mobile-Friendly Testand see how it looks!

ProperHost responsive website


New Features

In addition to a new design, we are also unveiling several new features and improvements at the same time.

Live Chat

ProperHost responsive website

We are re-introducing live chat! Some of you may recall we used to offer live chat support, but it was removed some time ago due to several issues, such as sessions being disconnected or operators unable to accept incoming chat requests. We have been searching for a good replacement and are happy to announce that starting from today we will begin offering Live Chat again - powered by Zopim. The chat is embedded in the lower right corner of every page in an unobtrusive manner. Just start typing and you will be connected to one of our agents. The live chat service is provided as a supplement to our ticket system, and we kindly encourage existing clients to still open a support ticket for advanced technical matters.

Cloud Servers for Magento


ProperHost responsive website

It has been a long time coming, but we are pleased to finally be able to offer true high-availability, scalable cloud hosting for Magento! This enables exciting new opportunities for users to create virtual dedicated servers with built-in failover, redundancy and scalability. More information will follow shortly. In the meantime, check out the plans here.

New Dedicated Server Offers

We have just revamped our dedicated server deals with upgraded hardware and reduced pricing. We now offer highly competitive, state-of-the-art dedicated server hosting for Magento.

New Client Area and Support Portal

We have been working hard to create a better and more userfriendly client area portal for our customers. The client area has a brand new design and several new features making it easier for clients to manage their account and services. The new client area has a new, simplified navigation and it is now easier to find the information you need and get in touch with support when needed. The order process has also been streamlined and updated to accomodate the new product lines. We have several other exciting features planned for the near future. Check it out by logging in here.

Customer Testimonials

A new section has been added where we highlight some of our customers that are using ProperHost to power their online business. Check out the customer showcases on our frontpage. If you run a successful Magent store or other website and would like to be featured in our showcase section, send an email to support[AT]properhost.net.

Important Security Update: Magento Community Edition 1.9.1.1 Released

Magento just released a new version incorporating an important security update:

Magento Community Edition 1.9.1.1 corrects a remote code execution vulnerability that makes it possible for unauthorized persons to gain access to your store. In February of this year, we released patch SUPEE-5344 to correct the problem. That patch is incorporated into this release.
We recommend everyone that hasn't applied patch SUPEE-5344 to immediately upgrade to secure their installation. As always, feel free to contact our support if you want to purchase our professional Magento upgrade service.